CWE-253: Incorrect Check of Function Return Value

Description

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

Extended Description

Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2023-49286

Chain: function in web caching proxy does not correctly check a return value (CWE-253) leading to a reachable assertion (CWE-617)

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Unexpected State, DoS: Crash, Exit, or Restart — Notes: An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.

Potential Mitigations

Architecture and Design: Use a language or compiler that uses exceptions and requires the catching of those exceptions. (N/A)
Implementation: Properly check all functions which return a value. (N/A)
Implementation: When designing any function make sure you return a value or throw an exception in case of an error. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: This code attempts to allocate memory for 4 integers and checks if the allocation succeeds.

Body: The code assumes that only a negative return value would indicate an error, but malloc() may return a null pointer when there is an error. The value of tmp could then be equal to 0, and the error would be missed.

tmp = malloc(sizeof(int) * 4); if (tmp < 0 ) { perror("Failure"); //should have checked if the call returned 0 }

Notes

No notes available.

← Back to CWE list