Rule: Always check parameters on functions callable from outside code.
Thoughts:
For example, on an exported function that takes two integers (both of which should be non-negative), we could do this:
// callable from outside code
int myfunc(int a, int b) {
if ((a < 0) || (b < 0)) return -1;
return myfunc_internal(a, b);
}
// callable only from my code - can assume sanitized parameters
int myfunc_internal(int a, int b)
{ ... }