| Wiki Markup |
|---|
C99 \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\], Section 6.5.2.2 says |
If an attempt is made to modify the result of a function call or to access it after the next sequence point, the behavior is undefined.
...
- In C, the lifetime of a return value ends at the next sequence point. Consequently, by the time
printf()is called, thestructreturned by theaddressee()call is no longer considered valid , and may could have been overwritten. - C function arguments are passed by value. As a result, copies are made of all objects generated by the arguments. For example, a copy is made of the pointer to
"Hello, %s!\n". Under most circumstances, these copies protect you from the effects of sequence points described earlier. - Finally, C implicitly converts arrays to pointers when passing them as function arguments. This means that a copy is made of the pointer to the
addresee().aarray, and that pointer copy is passed toprintf(). But the array data itself is not copied and may could no longer exist whenprintf()is called.
Consequently, when printf() tries to dereference the pointer passed as its 2nd second argument, it is likely to find garbage.
...
Compliant Solution
This compliant solution store stores the structure returned by the call to addressee() as my_x before calling the printf() function.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
Related Guidelines
Wiki Markup
ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] TR 24772 "DCM Dangling references to stack frames" and "SAM Side-effects and order of evaluation"
Bibliography
...
03. Expressions (EXP) EXP36-C. Do not convert pointers into more strictly aligned pointer types