...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdarg.h> #include <stddef.h> void func(size_t countnum_vargs, ...) { va_list ap; va_start(ap, countnum_vargs); if (countnum_vargs > 0) { unsigned char c = va_arg(ap, unsigned char); // ... } va_end(ap); } void f(void) { unsigned char c = 0x12; func(1, c); } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdarg.h> #include <stddef.h> void func(size_t countnum_vargs, ...) { va_list ap; va_start(ap, countnum_vargs); if (countnum_vargs > 0) { unsigned char c = (unsigned char) va_arg(ap, int); // ... } va_end(ap); } void f(void) { unsigned char c = 0x12; func(1, c); } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdarg.h> #include <stddef.h> void func(size_t num_vargs, const char *cp, ...) { va_list ap; va_start(ap, cp); if (num_vargs > 0) { int val = va_arg(ap, int); // ... } va_end(ap); } void f(void) { func(0, "The only argument", 0); } |
Risk Assessment
Incorrect use of va_arg()
results in undefined behavior that can include accessing stack memory.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP47-C | Medium | Likely | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-EXP47 | |||||||
Clang |
| -Wvarargs | Can detect some instances of this rule, such as promotable types. Cannot detect mismatched types or incorrect number of variadic arguments. | ||||||
CodeSonar |
| BADMACRO.STDARG_H | Use of <stdarg.h> feature | ||||||
LDRA tool suite |
| 44 S | Enhanced Enforcement | ||||||
Parasoft C/C++test |
| CERT_C-EXP47-a | Do not call va_arg with an argument of the incorrect type | ||||||
| Checks for:
Rule fully covered | ||||||||
TrustInSoft Analyzer |
| unclassified (variadic) | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
[ISO/IEC 9899:2011] | Subclause 7.16, "Variable Arguments <stdarg.h> "Subclause 6.5.2.2, "Function calls" |
...
...