1. Home
  2. CWE Database
  3. CWE-253
Base · Medium

CWE-253: Incorrect Check of Function Return Value

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

CWE-253 · Base Level ·1 CVEs ·3 Mitigations

Description

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.

Potential Impact

Availability, Integrity

Unexpected State, DoS: Crash, Exit, or Restart

Demonstrative Examples

This code attempts to allocate memory for 4 integers and checks if the allocation succeeds.
Bad
tmp = malloc(sizeof(int) * 4);if (tmp < 0 ) {
                        perror("Failure");
                           //should have checked if the call returned 0
                           
                        
                     }
The code assumes that only a negative return value would indicate an error, but malloc() may return a null pointer when there is an error. The value of tmp could then be equal to 0, and the error would be missed.

Mitigations & Prevention

Architecture and Design

Use a language or compiler that uses exceptions and requires the catching of those exceptions.

Implementation

Properly check all functions which return a value.

Implementation

When designing any function make sure you return a value or throw an exception in case of an error.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2023-49286Chain: function in web caching proxy does not correctly check a return value (CWE-253) leading to a reachable assertion (CWE-617)

CWE-573: Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, enviro...

CWE-754: Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur fr...

Taxonomy Mappings

  • CLASP: — Misinterpreted function return value
  • Software Fault Patterns: SFP4 — Unchecked Status Condition
  • CERT C Secure Coding: ERR33-C — Detect and handle standard library errors
  • CERT C Secure Coding: POS54-C — Detect and handle POSIX library errors

Frequently Asked Questions

What is CWE-253?

CWE-253 (Incorrect Check of Function Return Value) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

How can CWE-253 be exploited?

Attackers can exploit CWE-253 (Incorrect Check of Function Return Value) to unexpected state, dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-253?

Key mitigations include: Use a language or compiler that uses exceptions and requires the catching of those exceptions.

What is the severity of CWE-253?

CWE-253 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.