Redundant testing by caller and by callee as a style of defensive programming is largely discredited within the C and C++ community, the main problem being performance. The usual discipline in C and C++ is to require validation only on one side of each interface.

Requiring the caller to validate arguments can result in faster code because the caller may understand certain invariants that prevent invalid values from being passed. Requiring the callee to validate arguments allows the validation code to be encapsulated in one location, reducing the size of the code and making it more likely that these checks are performed in a consistent and correct fashion.

For safety and security reasons, this standard recommends that the called function validate its parameters. Validity checks allow the function to survive at least some forms of improper usage, enabling an application using the function to likewise survive. Validity checks can also simplify the task of determining the condition that caused the invalid parameter.

Noncompliant Code Example

In this noncompliant code example, setfile() and usefile() do not validate their parameters. It is possible that an invalid file pointer can be used by the library, corrupting the library's internal state and exposing a vulnerability.

/* sets some internal state in the library */
extern int setfile(FILE *file);

/* performs some action using the file passed earlier */
extern int usefile();

static FILE *myFile;

void setfile(const FILE *file) {
    myFile = file;
}

void usefile(void) {
    /* perform some action here */
}

The vulnerability can be more severe if the internal state references sensitive or system-critical data.

Compliant Solution

Validating the function parameters and verifying the internal state leads to consistency of program execution and may eliminate potential vulnerabilities. In addition, implementing commit/rollback semantics (leaving program state unchanged on error) is a desirable practice for error safety.

/* sets some internal state in the library */
extern int setfile(FILE *file);

/* performs some action using the file passed earlier */
extern int usefile();

static FILE *myFile;

errno_t setfile(FILE *file) {
 if (file && !ferror(file) && !feof(file)) {
    myFile = file;
    return 0;
  }

  /* error safety: leave myFile unchaned */
  return EINVAL;
}

errno_t usefile(void) {
  if (!myFile) return -1;

    /* perform other checks if needed, return 
     * error condition */

    /* perform some action here */
    return 0;
}

Risk Assessment

Failing to validate the parameters in library functions may result in an access violation or a data integrity violation. Such a scenario is indicative of a flaw in the manner in which the library is used by the calling code. However, it may still be the library itself that is the vector by which the calling code's vulnerability is exploited.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

API00-C

medium

unlikely

high

P2

L3

Automated Detection

Tool

Version

Checker

Description

LDRA tool suite

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: MSC08-CPP. Functions should validate their parameters

MITRE CWE: CWE ID 20, "Insufficient Input Validation"

Bibliography

[Apple 2006] Application Interfaces That Enhance Security, May 2006.