Incorrect Check of Function Return Value
Incomplete Base
Structure: Simple
Description
The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.
Common Consequences 1
Scope: AvailabilityIntegrity
Impact: Unexpected StateDoS: Crash, Exit, or Restart
An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.
Potential Mitigations 3
Phase: Architecture and Design
Strategy: Language Selection
Use a language or compiler that uses exceptions and requires the catching of those exceptions.
Phase: Implementation
Properly check all functions which return a value.
Phase: Implementation
When designing any function make sure you return a value or throw an exception in case of an error.
Demonstrative Examples 1
This code attempts to allocate memory for 4 integers and checks if the allocation succeeds.
Code Example:
Bad
C
c//should have checked if the call returned 0* }
The code assumes that only a negative return value would indicate an error, but malloc() may return a null pointer when there is an error. The value of tmp could then be equal to 0, and the error would be missed.
Observed Examples 1
CVE-2023-49286Chain: function in web caching proxy does not correctly check a return value (Incorrect Check of Function Return Value) leading to a reachable assertion (Reachable Assertion)
References 2
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
The CLASP Application Security Process
Secure Software, Inc.
2005
ID: REF-18
Likelihood of Exploit
Low
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
Taxonomy Mapping
- CLASP
- Software Fault Patterns
- CERT C Secure Coding
- CERT C Secure Coding