Missing break statement in switch case causing fall-through

Description

The software omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

Rationale

The software omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

The following code illustrates a vulnerable pattern detected by this rule:

int result = security_check(data);

// VULNERABLE: Missing break statement in switch case causing fall-through
switch (result)
{
case FAIL:
	printf("Security check failed!\n");
case PASS:
	printf("Security check passed.\n");
	break;
default:
	printf("Unknown error (%d), exiting...\n", result);
	exit(1);
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-484
OWASP Top 10 2021 - A04 : Insecure Design.
https://g.co/kgs/PCHQjJ
https://github.com/struct/mms
CERTC-MSC17-C