Security Impact of Error Handling Information leakage Stack traces Database errors Resource leakage Return on error without de-allocation Exceptions bypass de-allocation CSC 666: Secure Software Engineering
Error Handling Techniques Return a neutral value: return a value that’s known to be harmless, i. e. 0 or “”. Substitute the next piece of data: continue reading from hardware or file until a valid record is found. Return same answer as last time: don’t keep reading; instead return the last valid answer. Substitute closest legal value: if velocity has a range of 0. . 100, show a 0 when backing up. Log a warning message: Write a warning to a log, then continue on, perhaps using one of the other techniques. Terminate program: Terminate program execution. Return an error code: Report error by Setting the value of a status variable (errno) Return status as the function’s return value Throw an exception CSC 666: Secure Software Engineering
Return Codes Use function return code to indicate error. Easy to ignore. Simply ignore return code. Error handling logic is mixed with logic processing normal return codes. No universal convention for error codes. Common return code patterns. Negative values when nonnegative expected. NULL values for pointer return codes. CSC 666: Secure Software Engineering
Example: character get functions fgetc(), getchar() read char, return int Use int to represent EOF error code. Incorrect example: return value is declared as a char buf[BUFSIZ]; char c; int i = 0; while ( (c = getchar()) != 'n' && c != EOF ) { if (i < BUFSIZ-1) { buf[i++] = c; } } buf[i] = '