CWE-394

BaseDraft

View on MITRE

Unexpected Status Code or Return Value

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

13 linked vulnerabilities

1 related weaknesses

IntegrityOtherUnexpected StateAlter Execution Logic

Automated Static AnalysisEffectiveness: High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Modes of Introduction

Implementation

Related Weaknesses

CWE-754ChildOf

Example CVEs (8)

CVE-2004-1395

Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit.

CVE-2002-2124

Unchecked return code from recv() leads to infinite loop.

CVE-2005-2553

Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't.

CVE-2005-1858

Memory not properly cleared when read() function call returns fewer bytes than expected.

CVE-2000-0536

Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.

External Links

MITRE CWE Database

CWE-394: Unexpected Status Code or Return Value | Mondoo Vulnerability Intelligence