Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
langc
#include <stdarg.h>
#include <stddef.h>

void func(size_t countnum_vargs, ...) {
  va_list ap;  
  va_start(ap, countnum_vargs);
  if (countnum_vargs > 0) {
    unsigned char c = va_arg(ap, unsigned char);
    // ...
  }
  va_end(ap);
}
 
void f(void) {
  unsigned char c = 0x12;
  func(1, c);
}

...

Code Block
bgColor#ccccff
langc
#include <stdarg.h>
#include <stddef.h>

void func(size_t countnum_vargs, ...) {
  va_list ap;  
  va_start(ap, countnum_vargs);
  if (countnum_vargs > 0) {
    unsigned char c = (unsigned char) va_arg(ap, int);
    // ...
  }
  va_end(ap);
}

void f(void) {
  unsigned char c = 0x12;
  func(1, c);
}

...

Code Block
bgColor#ccccff
langc
#include <stdarg.h>
#include <stddef.h>

void func(size_t num_vargs, const char *cp, ...) {
  va_list ap;  
  va_start(ap, cp);
  if (num_vargs > 0) {
    int val = va_arg(ap, int);
    // ...
  }
  va_end(ap);
}
 
void f(void) {
  func(0, "The only argument", 0);
}

Risk Assessment

Incorrect use of va_arg() results in undefined behavior that can include accessing stack memory.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP47-C

Medium

Likely

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP47
Clang
Include Page
Clang_V
Clang_V
-WvarargsCan detect some instances of this rule, such as promotable types.
Cannot detect mismatched types or incorrect number of variadic arguments.
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
BADMACRO.STDARG_HUse of <stdarg.h> feature
LDRA tool suite
Include Page
LDRA_V
LDRA_V

44 S

Enhanced Enforcement

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP47-aDo not call va_arg with an argument of the incorrect type

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP47-C


Checks for:

  • Incorrect data type passed to va_arg
  • Too many va_arg calls for current argument list

Rule fully covered

TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

unclassified (variadic)

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

[ISO/IEC 9899:2011]Subclause 7.16, "Variable Arguments <stdarg.h>"
Subclause 6.5.2.2, "Function calls"

 


...

Image Modified Image Modified Image Modified