Incorporate diagnostic tests into your program using, for example, the assert() macro.

The assert macro expands to a void expression:

#include <assert.h>
void assert(scalar expression);

When it is executed, if expression (which must have a scalar type) is false, the assert macro outputs information about the failed assertion (including the text of the argument, the name of the source file, the source line number, and the name of the enclosing function) on the standard error stream in an implementation-defined format and calls the abort() function.

In the following example, the test for integer wrap was omitted for the unsigned multiplication based on the assumption that MAX_TABLE_SIZE * sizeof(char *) cannot exceed SIZE_MAX. While we know this is true, it cannot do any harm to codify this assumption.

assert(size <= SIZE_MAX/sizeof(char *));
table_size = size * sizeof(char *);

Assertions are primarily intended for use during debugging, and are generally turned off before code is shipped by defining NDEBUG (typically as a flag passed to the compiler). Consequently, assertions should be used to protect against incorrect assumptions and not for runtime error checking.

Assertions should not be used to check for

Code that protects against a buffer overflow, for example, cannot be implemented as an assertion because this code must be presented in the deployed executable.

In particular, assertions are generally unsuitable for server programs or embedded systems. A failed assertion can lead to a denial-of-service attack if a malicious user can discover how to trigger it, such as if size were in some way derived from client input. In such situations, a soft failure mode such as writing to a log file is more appropriate.

if (size > SIZE_MAX/sizeof(char *)) {
  fprintf(
    log_file, 
    __FILE__ ": size %zu exceeds SIZE_MAX/sizeof(char *)\n", 
    size
  );
  size = SIZE_MAX/sizeof(char *);
}
table_size = size * sizeof(char *);

Risk Assessment

Assertions are a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities. The absence of assertions, however, does not mean that code is incorrect.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC11-C

low

unlikely

high

P1

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.2.1, "Program diagnostics"


MSC10-C. Character Encoding - UTF8 Related Issues      13. Miscellaneous (MSC)       MSC12-C. Detect and remove code that has no effect