If control reaches the closing curly brace (}) of a non-void function without evaluating a return statement, using the return value of the function call is undefined behavior (see undefined behavior 88).
In this noncompliant code example, control reaches the end of the checkpass() function when the two strings passed to strcmp() are not equal, resulting in undefined behavior. Many compilers will generate code for the checkpass() function, returning various values along the execution path where no return statement is defined.
#include <string.h>
#include <stdio.h>
int checkpass(const char *password) {
if (strcmp(password, "pass") == 0) {
return 1;
}
}
void func(const char *userinput) {
if (checkpass(userinput)) {
printf("Success\n");
}
} |
This error is frequently diagnosed by compilers (see MSC00-C. Compile cleanly at high warning levels).
This compliant solution ensures that the checkpass() function always returns a value:
#include <string.h>
#include <stdio.h>
int checkpass(const char *password) {
if (strcmp(password, "pass") == 0) {
return 1;
}
return 0;
}
void func(const char *userinput) {
if (checkpass(userinput)) {
printf("Success!\n");
}
} |
In this noncompliant code example, control reaches the end of the getlen() function when input does not contain the integer delim. Because the potentially undefined return value of getlen() is later used as an index into an array, a buffer overflow may occur.
#include <stddef.h>
size_t getlen(const int *input, size_t maxlen, int delim) {
for (size_t i = 0; i < maxlen; ++i) {
if (input[i] == delim) {
return i;
}
}
}
void func(int userdata) {
size_t i;
int data[] = { 1, 1, 1 };
i = getlen(data, sizeof(data), 0);
data[i] = userdata;
} |
Violating this rule can have unexpected consequences, as in the following example:
#include <stdio.h>
size_t getlen(const int *input, size_t maxlen, int delim) {
for (size_t i = 0; i < maxlen; ++i) {
if (input[i] == delim) {
return i;
}
}
}
int main(int argc, char **argv) {
size_t i;
int data[] = { 1, 1, 1 };
i = getlen(data, sizeof(data), 0);
printf("Returned: %zu\n", i);
data[i] = 0;
return 0;
} |
When this program is compiled with -Wall on most versions of the GCC compiler, the following warning is generated:
example.c: In function 'getlen'€™: example.c:12: warning: control reaches end of non-void function |
None of the inputs to the function equal the delimiter, so when run with GCC 4.4.3 on Linux, control reaches the end of the getlen() function, which returns 5, causing an out-of-bounds write to the data array.
This compliant solution changes the interface of getlen() to store the result in a user-provided pointer and return an error code to indicate any error conditions. The best method for handling this type of error is specific to the application and the type of error (see ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy for more on error handling).
int getlen(const int *input, size_t maxlen, int delim,
size_t *result) {
for (size_t i = 0; i < maxlen; ++i) {
if (input[i] == delim) {
if (result != NULL) {
*result = i;
}
return 0;
}
}
return -1;
}
void func(int userdata) {
size_t i;
int data[] = {1, 1, 1};
if (getlen(data, sizeof(data), 0, &i) != 0) {
/* Handle error */
} else {
data[i] = userdata;
}
}
|
MSC37-C-EX1: According to the C Standard, 5.1.2.2.3, paragraph 1 [ISO/IEC 9899:2011], "Reaching the } that terminates the main function returns a value of 0." As a result, it is permissible for control to reach the end of the main() function without executing a return statement.
Using the return value from a non-void function where control reaches the end of the function without evaluating a return statement can lead to buffer overflow vulnerabilities as well as other unexpected program behaviors.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC37-C | High | Unlikely | Low | P9 | L2 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
| Tool | Version | Checker | Description |
|---|---|---|---|
| CodeSonar | LANG.STRUCT.MRS | Missing return statement | |
| LDRA tool suite | 2 D, 36 S, 66 S | Fully implemented | |
| Parasoft C/C++test | 9.5 | MISRA2012-RULE-17_4 | Fully implemented |
| PRQA QA-C | 2888 | ||
| SonarQube Plugin | 3.1 | S935 |
| CERT C Secure Coding Standard | MSC01-C. Strive for logical completeness |
| [ISO/IEC 9899:2011] | 5.1.2.2.3, "Program Termination" |
