SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 81

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

In the following code example, the variadic function average() calculates the average value of the positive integer arguments passed to the function [Seacord 2005c2013]. The function processes arguments until it encounters an argument with the value of va_eol (-1).

...

This compliant solution enforces the contract by adding va_eol as the final argument.:

Code Block
bgColor#ccccff
langc
int avg = average(1, 4, 6, 4, 1, va_eol);

...

Another common mistake is to use more conversion specifiers than supplied arguments, as shown in this noncompliant code example.:

Code Block
bgColor#ffcccc
langc
const char *error_msg = "Resource not available to user.";
/* ... */
printf("Error (%s): %s", error_msg);

...

This compliant solution matches the number of format specifiers with the number of variable arguments.:

Code Block
bgColor#ccccff
langc
const char *error_msg = "Resource not available to user.";
/* ... */
printf("Error: %s", error_msg);

...

Incorrectly using a variadic function can result in abnormal program termination or unintended information disclosure.

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

DCL10-C

high

High

Probable

probable

No

high

No

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported, but no explicit checker
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0185, C0184
Klocwork
Include Page
Klocwork_V
Klocwork_V
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY
SV.FMT_STR.SCAN_PARAMS_WRONGNUM.FEW
SV.FMT_STR.SCAN_PARAMS_WRONGNUM.MANY
LDRA tool suite
Include Page
LDRA_V
LDRA_V

41 S

Partially implemented

PRQA QA-C Include PagePRQA_VPRQA_V

0185
0184

Enhanced Enforcement

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL10-aThe number of format specifiers in the format string and the number of corresponding arguments in the invocation of a string formatting function should be equal
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

558, 719

Assistance provided: reports issues involving format strings

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. DCL10-C


Checks for format string specifiers and arguments mismatch (rec. partially covered)

Partially implemented

Related Guidelines

ISO/IEC TR 24772:2013Subprogram
signature mismatch
Signature Mismatch [OTR]
MISRA
-
C:2012Rule
16
17.1 (required)
: Functions shall not be defined with a variable number of arguments
MITRE CWECWE-628, Function call with incorrectly specified arguments

Bibliography

[Seacord
2005c
2013]
 

 

Chapter 6, "Formatted Output"


...

Image Modified Image Modified Image Modified