SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Do not call non-reentrant functions within signal handlers. This could result in several issues, including heap damage and semantic vulnerabilities.

According to the "Signals and Interrupts" section of the C99 Rationale:

When a signal occurs, the normal flow of control of a program is interrupted. If a signal occurs that is being trapped by a signal handler, that handler is invoked. When it is finished, execution continues at the point at which the signal occurred. This arrangement could cause problems if the signal handler invokes a library function that was being executed at the time of the signal. Since library functions are not guaranteed to be reentrant, they should not be called from a signal handler that returns.

And according to the OpenBSD signal() man page

The following functions are either reentrant or not interruptible by sig-
nals and are asyncronous-signal safe. Therefore applications may invoke
them, without restriction, from signal-catching functions:

Base Interfaces:

_exit(), access(), alarm(), cfgetispeed(), cfgetospeed(), cfsetispeed(),
cfsetospeed(), chdir(), chmod(), chown(), close(), creat(), dup(),
dup2(), execle(), execve(), fcntl(), fork(), fpathconf(), fstat(),
fsync(), getegid(), geteuid(), getgid(), getgroups(), getpgrp(),
getpid(), getppid(), getuid(), kill(), link(), lseek(), mkdir(),
mkfifo(), open(), pathconf(), pause(), pipe(), raise(), read(), rename(),
rmdir(), setgid(), setpgid(), setsid(), setuid(), sigaction(),
sigaddset(), sigdelset(), sigemptyset(), sigfillset(), sigismember(),
signal(), sigpending(), sigprocmask(), sigsuspend(), sleep(), stat(),
sysconf(), tcdrain(), tcflow(), tcflush(), tcgetattr(), tcgetpgrp(),
tcsendbreak(), tcsetattr(), tcsetpgrp(), time(), times(), umask(),
uname(), unlink(), utime(), wait(), waitpid(), write().

Non-Compliant Coding Example






Compliant Solution



Signal handlers should be as minimal as possible, only setting a flag where appropriate, and returning.



Risk Assessment



Depending on the code, this could lead to any number of attacks, many of which could give root access. This is extremely dangerous. For an overview of actual issues, see Zalewski's signal article.







 Rule 


 Severity 


 Likelihood 


 Remediation Cost 


 Priority 


 Level 






 MSCxx-C 


 3 (high) 


 3 (likely) 


 1 (high) 


 P9 


 L2 








References



[[ISO/IEC 03]] "Signals and Interrupts"

[[Open Group 04]] longjmp

[OpenBSD] signal() Man Page

[Zalewski] http://lcamtuf.coredump.cx/signals.txt


                
        
    
        


                        
    





    

	

		
    
    
            
  • 
            No labels
        
    •