- Inside Modern X11 Programming
- Making JavaScript Fast, Part 2
- Security in Your Pocket: OpenBSD on ARM
- Making JavaScript Fast, Part 1
- The Failure of the GPL
- How Not To Optimize
- A Half-Way Step to Apple’s Source Code: An Interview with David Chisnall
- Advanced Flow Control for Objective-C
- Erica Sadun on the iPhone SDK, OS X, and the Computing Landscape
- From NeXTSTEP to Cocoa: Erik Buck on the Development of Cocoa and Objective-C
- Fun with the Objective-C Runtime
- Marcus Zarra and Matt Long on Core Animation
- Steve Kochan on the Evolution of Objective-C
- The Technology NeXT Gave the World
- Where the Web and the Desktop Meet: An Interview with Lee Barney
- Pandora: An Open Console
- The Future of Wireless Networking
- GNU or Linux?
- Debugging C-Family Languages
- How Small Is Your PC? The Rise of Netbooks and Other Small Form-Factor PCs
- David Chisnall's CPU Feature Wishlist
- The Dynamic Languages Renaissance
- Robert Seacord on the CERT C Secure Coding Standard
- Objective-C for C++ Programmers, Part 3
- Objective-C for C++ Programmers, Part 2
- Objective-C for C++ Programmers, Part 1
- Writing Insecure C, Part 3
- Writing Insecure C, Part 2
- Writing Insecure C, Part 1
- iRex iLiad e-Reader: Linux's Answer to the Kindle?
- How It Works: Filesystems
- How the LLVM Compiler Infrastructure Works
- How It Works: Virtual Memory
- What Is C For?
- The Future of eBooks
- Imagining an Open Network
- Understanding How Xen Approaches Device Drivers
- Examining the Legendary HURD Kernel
- Competition Among Open Source Compilers
- Inside Your OS: What is a Process Scheduler, and How Does it Work?
- Bad UI of the Week: Read This (OK/Cancel)
- The End of the Desktop Era
- The What and Why of Open IM
- A Look at the Modern X Server
- The Future of Digital Media
- The Future of Identity
- Bad UI of the Week: Ask Forgiveness, Not Permission
- Copyright Versus Free Software
- Is Computer Science Dying?
- A Brief History of Programming, Part 2
- A Brief History of Programming, Part 1
- The 700MHz Question: Will the Wireless Spectrum Auction Lead to Innovation or More of the Same?
- Bad UI of the Week: The Menu Bar
- The Dark Corners of x86
- Bad UI of the Week: The Cross-Platform User Interface
- Bad UI of the Week: The Mythical "is Like" Operator
- Bad UI of the Week: Don't Make Me Tell You Twice...
- Bad UI of the Week: Kettles and Washing Machines
- The BBC iPlayer Controversy Explained
- Bad UI of the Week: The Mitten Mouse
- Bad User Interface of the Week: File It Under “Bad”
- Bad User Interface of the Week: The DVD
- A Roundup of Free Operating Systems
- DragonFly BSD: UNIX for Clusters?
- CPU Wars, Part 3: Put Your Left ARM In
- CPU Wars, Part 2: POWER to the People
- CPU Wars, Part 1: When the Chips Are Down
- ZFS Uncovered
- Vector Programming with GCC
- Free Software Versus Open Source Software
- What Programming Languages Should You Know?
- Standardizing UNIX
- Prolog: Logic Programming for Rapid Development
- POSIX Parallel Programming, Part 3: Threads
- POSIX Parallel Programming, Part 2: Message Passing
- POSIX Parallel Programming, Part 1
- The Nokia 770 Revisited
- The Open Source Desktop Myth
- Separating Style and Content: LaTeX and Typesetting
- GNUstep: A Free Software alternative to OpenStep
- Behind the Scenes of Objective-C 2.0
- The Future of CPUs: What's After Multi-Core?
- What Makes a Good Programming Language?
- Emulation: Role-Playing for Computers
- NetBSD: Not Just for Toasters
- POSIX Asynchronous I/O
- Breaking Down GPL Version 3
- The Role of Binary Drivers in a Free OS
- Security Is a UI Problem
- Debunking the Myth of High-level Languages
- A Taste of Erlang, a Dynamic, Asynchronous Message-Passing Language
- Alternatives to LAMP
- BSD Packaging Systems
- DRM: Digital Rights or Digital Restrictions?
- Introducing OpenBSD 3.9
- The Need for Virtualization and Xen
- Making Effective Software TCO Calculations
- 10 Things I Hate About U(NIX) Revisited: Readers Speak
- Comparing Open Source Licenses: GPL vs. BSDL
- BSD: The Other Free UNIX Family
- Measuring the Effectiveness of Application Security Policies
- The Cost of Free Software
- Nokia 770 Internet Tablet Week-long Test Drive
- 10 Things I Hate About (U)NIX
- The Lure of Open Source Software: Why Consider It for Your Business?
Sorry, this author hasn't posted any blogs.
Like this article? We recommend
CERT C Secure Coding Standard, The
Use of the C programming language is often blamed for insecure code. This is not entirely a valid accusation; projects like OpenBSD show that it is possible to write secure code in C. The problem with C, in this respect, is the same as the problem with assembly-language programming: The language exposes all of the features of the architecture to you, but little else. It provides all the features you need to write tools for secure coding, but doesn't provide these tools itself.
This series will look at some of the common causes of errors in C code and how to avoid them.
Error Checking
A lot of languages these days include some mechanism for throwing exceptions. Exceptions are generally a bad idea. They make it hard to reason about the flow of control in a program, and have most of the disadvantages from which GOTO-filled programs suffered before the rise of structured programming. Exceptions have one significant advantage, however: You can't passively ignore them.
Java code, in particular, is often littered with try...catch blocks that do nothing but discard errors, but even in this case the exception mechanism has served a purpose—it has made the programmer aware that he isn't safely handling error conditions.
In C, most functions return an invalid value when some kind of error condition exists. This is typically done in one of two ways. A lot of functions return an error code or zero for success. Functions that return pointers return a valid value on success and null on failure. This situation can be slightly confusing, since zero indicates success in some functions and failure in others.
Returning a null pointer is generally okay. It's not something you can ignore easily, because you'll get a segmentation fault as soon as you try to dereference it. This approach is really dangerous only in a function that almost never fails; others will cause crashes during testing and be fixed.
The canonical example of a function that almost never fails is malloc(), along with related functions like calloc(). The C specification says that malloc should return NULL if insufficient memory exists to satisfy the request. Linux doesn't quite obey this rule: It returns NULL if the system doesn't have enough virtual address space to satisfy an allocation, but in a case of insufficient memory Linux still allocates an address range—and then fails when you actually try to use the memory. Assuming that you have a compliant C implementation, however, it's worth checking malloc return values.
In most cases, there's nothing sensible you can do if malloc fails. Even error-recovery code typically needs to allocate some memory. You can try allocating this memory when the program starts. (Remember to make sure that you touch it, so lazy allocations won't defer the actual allocation until too late.) Alternatively, you can use something like the following macro:
#define MALLOC(x,y) do { y malloc(x); if (!y) abort(1); } while(0)
This macro will test every allocation and abort the program if it fails. You can replace the call to abort with a call to your error-handling code, but be careful. One of the most recent vulnerabilities in OpenSSH was caused by running error-recovery code in a situation where the program was in an undefined state. Often, terminating is the safest practice.
Checking other functions' return values is equally important.
Account Sign In
View your cart