Do not write any executable statement inside a switch loop before the first case statement. The statements are never executed, as the compiler ignores statements present before the first case statement inside the switch block.
If a programmer declares variables and initializes them before the first case statement and try to use them inside any of the case statements, those variables will have scope inside the switch block, but will not be initialized and will consequently contain garbage values.
Non Compliant Code:
In the example mentioned below, the variable i is instantiated with automatic storage duration within the block, but is not initialized. Consequently, if the controlling expression has a non-zero value, the call to ((printf()}} will access an indeterminate value of i. Similarly, the call to function will also never get executed.
int func(int expr) {
switch(expr){
int i = 4;
f(i);
case 0:
i = 17;
/*falls through into default code */
default:
printf(â%d\nâ, i);
}
return 0;
}
Compliant Solution
In this compliant solution, the statements before the first case statement are moved outside the switch block, improving the predictability and readability of the code.
int func(int expr) {
int i = 4; // Move the code outside the switch block
f(i); // Now the statements will get executed
switch(expr) {
case 0:
i = 17;
/*falls through into default code */
default:
printf(â%d\nâ, i);
}
return 0;
}
Risk Assessment
Using test conditions or initializing variables inside the switch block before the first case statement, can result in unexpected behavior as the above code will not be executed.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
|
Medium |
unlikely |
medium |
P2 |
L3 |