SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 16

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 17

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this example, is_ptr(e) returns true if expression e has a pointer type. is_ptr(e) calls variadic function isPtr(...), but the call takes place in a sizeof expression. Consequently, isPtr(...) must be declared, but it need not, and should not, be defined.

Non-compliant Code Example

This example uses a variadic function to concatenate an arbitrary number of null-terminated character sequences (NTCS) in a single NTCS. Each call to the function must use a null pointer value to mark the end of the argument list.

...

Code Block
bgColor#FFCCCC
char *u = concatenate("hello", separator, "world"); // undefined behavior

char *v = concatenate("hello", ' ', "world", NULL); // undefined behavior

Compliant Solution

Rather than use a variadic function, you can use a chain of binary operations:

Code Block
bgColor#ccccff
#include <string>

string separator = /* some reasonable value */;

string s = "hello" + separator + "world";

Risk Assessment

Incorrectly using a variadic function can result in abnormal program termination, unintended information disclosure, or execution of arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL33 DCL38-C CPP

3 (high)

2 (probable)

3 (low)

P18

L1

...

DCL32-CCPP. Avoid runtime static initialization of objects with external linkage      02. Declarations and Initialization (DCL)      03. Expressions (EXP)