CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-253: Incorrect Check of Function Return Value

Weakness ID: 253
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions.

Extended Description

Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Availability
Integrity

Technical Impact: Unexpected state; DoS: crash / exit / restart

An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.

+ Likelihood of Exploit

Low

+ Demonstrative Examples

Example 1

This code attempts to allocate memory for 4 integers and checks if the allocation succeeds.

(Bad Code)
Example Languages: C and C++ 
tmp = malloc(sizeof(int) * 4);
if (tmp < 0 ) {
perror("Failure");
//should have checked if the call returned 0
}

The code assumes that only a negative return value would indicate an error, but malloc() may return a null pointer when there is an error. The value of tmp could then be equal to 0, and the error would be missed.

+ Potential Mitigations

Phase: Architecture and Design

Strategy: Language Selection

Use a language or compiler that uses exceptions and requires the catching of those exceptions.

Phase: Implementation

Properly check all functions which return a value.

Phase: Implementation

When designing any function make sure you return a value or throw an exception in case of an error.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class227Improper Fulfillment of API Contract ('API Abuse')
Development Concepts (primary)699
ChildOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts699
ChildOfWeakness ClassWeakness Class573Improper Following of Specification by Caller
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class754Improper Check for Unusual or Exceptional Conditions
Research Concepts1000
ChildOfCategoryCategory962SFP Secondary Cluster: Unchecked Status Condition
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPMisinterpreted function return value
Software Fault PatternsSFP4Unchecked Status Condition
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 7, "Return Value Testing and Interpretation", Page 340.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2008-11-24CWE Content TeamMITREInternal
updated Demonstrative_Examples
2009-03-10CWE Content TeamMITREInternal
updated Description, Name, Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, Demonstrative_Examples, References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-06-23CWE Content TeamMITREInternal
updated Description, Other_Notes
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2009-03-10Misinterpreted Function Return Value

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017