There are situations in which a function may return an array based on its length. In the case that an array of length zero is being returned, NULL should not be used. An empty array must be used to ensure the caller function can handle the return value correctly.
While C does not keep track of the length of an array, two popular methods have emerged to emulate this behavior. The first is to wrap the array in a struct with an integer storing the length. The second is to place a sentinel value at the end of the data in the array. This second approach is most commonly manifested in null-terminated byte strings (NTBS).
Noncompliant Code Example (Struct)
In the example below, there is an inventory system keeping track of the total number of different items (denoted length). Each item is given an index in the array, and the value for that index is the stock of that item. Adding a new item would increase length in the struct. Stocking more of an item would increase the value for that item's index. For example, if 5 books and 2 erasers were in stock, the inventory would be stockOfItem[0] = 5 and stockOfItem[1] = 2, assuming books were index 0 and erasers were index 1.
The problem arises in this setup when no items are being stocked. getStock would recognize that length = 0 and thus would return NULL. In this noncompliant code example, erroneous behavior results from getStock returning NULL while main neglects to check for such a value. This results in an abnormal program termination after returning to the main function.
#include <stdio.h>
enum { INV_SIZE=20 };
typedef struct {
size_t stockOfItem[INV_SIZE];
size_t length;
} Inventory;
size_t *getStock(Inventory iv);
int main(void) {
Inventory iv;
size_t *item;
iv.length = 0;
/* Other code that might modify the inventory but still leave no items in it upon completion */
item = getStock(iv);
printf("Stock of first item in inventory: %d\n", item[0]);
return 0;
}
size_t *getStock(Inventory iv) {
if (iv.length == 0) {
return NULL;
}
else {
return iv.stockOfItem;
}
}
Compliant Solution
This compliant solution eliminates the NULL return and simply returns the item array, even if it is zero-length. The main function can effectively handle this situation without exhibiting erroneous behavior.
#include <stdio.h>
enum { INV_SIZE=20 };
typedef struct {
size_t stockOfItem[INV_SIZE];
size_t length;
} Inventory;
size_t *getStock(Inventory iv);
int main(void) {
Inventory iv;
size_t i;
size_t *item;
iv.length = 0;
/* Other code that might modify the inventory but still leave no items in it upon completion */
item = getStock(iv);
if (iv.length != 0) {
printf("Stock of first item in inventory: %d\n", item[0]);
}
return 0;
}
size_t *getStock(Inventory iv) {
return iv.stockOfItem;
}
Noncompliant Code Example (Sentinel Value)
The code below implements an inventory system similar to the one described above. However, instead of storing the length of the array in a struct, a sentinel value of FINAL_ITEM is used. The value for the index following the last item is set as FINAL_ITEM. It is assumed that out of stock items (assigned value 0) are removed from the array, and the contents of later items shifted to lower indexes.
The example below attempts to return an array of the items in stock, sorted by the amount of each item in stock. The arraySort function incorrectly returns NULL instead of a pointer to an empty array when no items are in stock. This will be improperly handled by the main function, which is attempting to print out the returned array. This will result in an abnormal program termination.
#include <stdio.h>
enum { FINAL_ITEM=SIZE_MAX, INV_SIZE=20 };
size_t *arraySort(size_t *array);
int main(void) {
size_t i;
size_t stockOfItem[INV_SIZE];
size_t *sortedArray;
/* Other code that might use stockarray but leaves it empty */
sortedArray = arraySort(stockOfItem);
for (i = 0; sortedArray[i] != FINAL_ITEM; i++) {
printf("Item stock: %d", sortedArray[i]);
}
return 0;
}
/* Create new sorted array */
size_t *arraySort(size_t *array) {
size_t i;
size_t *sortedArray
for(i = 0; array[i] != FINAL_ITEM; i++);
if (i == 0) {
return NULL;
}
sortedArray = (size_t*) malloc(sizeof(size_t)*i);
if (sortedArray == NULL) {
/* Handle memory error */
}
/* Add sorted data to array*/
}
Compliant Code Example (Sentinel Value)
The example below correctly returns an empty array in the sortedArray function. If the size of the array is zero, then sortedArray allocates an array of size 1 and fills it with the sentinel value. It can then successfully return that array to the caller function.
#include <stdio.h>
enum { FINAL_ITEM=SIZE_MAX, INV_SIZE=20 };
size_t *arraySort(size_t *array);
int main(void) {
size_t i;
size_t stockOfItem[INV_SIZE];
size_t *sortedArray;
/* Other code that might use stockarray but leaves it empty */
sortedArray = arraySort(stockOfItem);
for (i = 0; sortedArray[i] != FINAL_ITEM; i++) {
printf("Item stock: %d", sortedArray[i]);
}
return 0;
}
/* Create new sorted array */
size_t *arraySort(size_t *array) {
size_t i;
size_t *sortedArray
for(i = 0; array[i] != FINAL_ITEM; i++);
if (i == 0) {
static emptyArray = (size_t*) malloc(sizeof(size_t));
if(emptyArray == NULL) {
/* Handle memory error */
}
emptyArray[0] = FINAL_ITEM;
return emptyArray;
}
sortedArray = (size_t*) malloc(sizeof(size_t)*i);
if (sortedArray == NULL) {
/* Handle memory error */
}
/* Add sorted data to array*/
}
Risk Assessment
Returning NULL rather than a zero-length array may lead to vulnerabilities when the client code does not handle NULL properly. This can result in abnormal program termination when the calling function performs operations on NULL.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MSC19-C |
low |
unlikely |
high |
P1 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Other Languages
This guideline appears in the Java Secure Coding Standard as MET03-J. For methods that return an array or collection prefer returning an empty array or collection over a null value.
References
[[Bloch 08]] Item 43: return empty arrays or collections, not nulls