SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version 19

changes.mady.by.user Anirban Gangopadhyay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
langc
#include <cstdarg><stdarg.h>
#include <cstddef><stddef.h>

void func(size_t countnum_vargs, ...) {
  va_list ap;  
  va_start(ap, countnum_vargs);
  if (countnum_vargs > 0) {
    unsigned char c = va_arg(ap, unsigned char);
    // ...
  }
  va_end(ap);
}
 
void f(void) {
  unsigned char c = 0x12;
  func(1, c);
}

...

Code Block
bgColor#ccccff
langc
#include <cstdarg><stdarg.h>
#include <cstddef><stddef.h>

void func(size_t countnum_vargs, ...) {
  va_list ap;  
  va_start(ap, countnum_vargs);
  if (countnum_vargs > 0) {
    unsigned char c = (unsigned char) va_arg(ap, int);
    // ...
  }
  va_end(ap);
}

void f(void) {
  unsigned char c = 0x12;
  func(1, c);
}

...

This noncompliant code example assumes that at least one variadic argument is passed to the function, and attempts to read it using the va_arg() macro. This pattern arises frequently when a variadic function uses a sentinel value to denote the end of the variable argument list. However, the caller does not pass any extra passes no variadic arguments to the function, resulting which results in undefined behavior.

Code Block
bgColor#FFCCCC
langc
#include <cstdarg><stdarg.h>
 
void func(const char *cp, ...) {
  va_list ap;  
  va_start(ap, cp);
  int val = va_arg(ap, int);
  // ...
  va_end(ap);
}
 
void f(void) {
  func("The only argument");
}

Compliant Solution

It is not possible for the Standard C provides no mechanism to enable a variadic function to determine how many variadic arguments are actually provided to the function call; that . That information must be passed in an out-of-band waymanner. Oftentimes this results in the information being encoded in the initial parameter, as in this compliant solution:

Code Block
bgColor#ccccff
langc
#include <cstdarg><stdarg.h>
#include <cstddef><stddef.h>

void func(size_t num_vargs, const char *cp, size_t numArgs, ...) {
  va_list ap;  
  va_start(ap, cp);
  if (numArgsnum_vargs > 0) {
    int val = va_arg(ap, int);
    // ...
  }
  va_end(ap);
}
 
void f(void) {
  func(0, "The only argument", 0);
}

Risk Assessment

Incorrect use of va_arg() results in undefined behavior that can include accessing stack memory.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP47-C

Medium

Likely

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP47
Clang
Include Page
Clang_V
Clang_V
-WvarargsCan detect some instances of this rule, such as promotable types.
Cannot detect mismatched types or incorrect number of variadic arguments.
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
BADMACRO.STDARG_HUse of <stdarg.h> feature
LDRA tool suite
Include Page
LDRA_V
LDRA_V

44 S

Enhanced Enforcement

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP47-aDo not call va_arg with an argument of the incorrect type

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP47-C


Checks for:

  • Incorrect data type passed to va_arg
  • Too many va_arg calls for current argument list

Rule fully covered

TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

unclassified (variadic)

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

[ISO/IEC 9899:2011]Subclause 7.16, "Variable Arguments <stdarg.h>"
Subclause 6.5.2.2, "Function calls"

...


...

Image Modified Image Modified Image Modified