You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 113 Next »

Do not call a function with the wrong number or type of arguments. 

The C Standard identifies five distinct situations in which undefined behavior may arise as a result of invoking a function using a declaration that is incompatible with its definition or with incorrect types or numbers of arguments:

UBDescription

26

A pointer is used to call a function whose type is not compatible with the referenced type (6.3.2.3).

38

For a call to a function without a function prototype in scope, the number of arguments does not equal the number of parameters (6.5.2.2).

39

For call to a function without a function prototype in scope where the function is defined with a function prototype, either the prototype ends with an ellipsis or the types of the arguments after promotion are not compatible with the types of the parameters (6.5.2.2).

40

— For a call to a function without a function prototype in scope where the function is not defined with a function prototype, the types of the arguments after promotion are not compatible with those of the parameters after promotion (with certain exceptions) (6.5.2.2).

41

A function is defined with a type that is not compatible with the type (of the expression) pointed to by the expression that denotes the called function (6.5.2.2).

Functions that are appropriately declared (as in DCL07-C. Include the appropriate type information in function declarators) will typically generate a compiler error if they are supplied with the wrong number or types of arguments. However, there are cases in which supplying the incorrect arguments to a function will, at best, generate compiler warnings. While such warnings should be resolved, they do not prevent program compilation. (See MSC00-C. Compile cleanly at high warning levels.)

Noncompliant Code Example

In this noncompliant example, the C Standard Library function strchr() is called through the function pointer fp with incorrectly typed arguments. According to the C Standard, subclause 6.3.2.3 paragraph 8 [ISO/IEC 9899:2011],

A pointer to a function of one type may be converted to a pointer to a function of another type and back again; the result shall compare equal to the original pointer. If a converted pointer is used to call a function whose type is not compatible with the referenced type, the behavior is undefined.

(See also undefined behavior 26 in Annex J of the C Standard.)

#include <stdio.h>
#include <string.h>

char *(*fp)();

int main(void) {
  const char *c;
  fp = strchr;
  c = fp("Hello", 'e');
  printf("%s\n", c);
  return 0;
}

Compliant Solution

In this compliant solution, the function pointer fp points to a function returning char * with the correct number and type of arguments:

#include <stdio.h>
#include <string.h>

char *(*fp)(const char *, int);

int main(void) {
  const char *c;
  fp = strchr;
  c = fp("Hello",'e');
  printf("%s\n", c);
  return 0;
}

Noncompliant Code Example

In this noncompliant example, the function copy() is defined to take three arguments but is called with two arguments:

/* In another source file */
#include <string.h>
void copy(char *dst, const char *src, size_t size) {
  if (!strncpy(dst, src, size)) {
    /* Report error */
  }
}
 
/* In this source file, no copy prototype in scope */
void copy();
 
void g(const char *s) {
  enum { BUFFERSIZE = 20 };
  char buf[BUFFERSIZE];
  copy(buf, s);
}

Compliant Solution

In this compliant solution, the prototype for the copy() function is included in the scope in the source file where it is used, and the copy() function is passed the correct number and type of arguments:

/* In another source file */
#include <string.h>
void copy(char *dst, const char *src, size_t size) {
  if (strncpy(dst, src, size) == 0) {
    /* Report error */
  }
}
 
/* Copy prototype in scope in this source file */
void copy(char *dst, const char *src, size_t size);
 
void g(const char *s) {
  enum { BUFFERSIZE = 20 };
  char buf[BUFFERSIZE];
  copy(buf, s, BUFFERSIZE); 
}

Noncompliant Code Example

In this noncompliant example, the function buginf() is defined to take a variable number of arguments and expects them all to be signed integers, with a sentinel value of -1:

/* In another source file */
void buginf(const char *fmt, ...) {
   /* ... */
}
 
/* In this source file, no buginf prototype in scope */
void buginf();
 
void h(void) {
  buginf("bug in function %s, line %d\n", "h", __LINE__);
}

While this code appears to be well-defined due to the prototype-less declaration of buginf(), this code exhibits undefined behavior per subclause 6.5.2.2 paragraph 6 [ISO/IEC 9899:2011]:

If the expression that denotes the called function has a type that does not include a prototype, the integer promotions are performed on each argument, and arguments that have type float are promoted to double. These are called the default argument promotions. If the number of arguments does not equal the number of parameters, the behavior is undefined. If the function is defined with a type that includes a prototype, and either the prototype ends with an ellipsis (, ...) or the types of the arguments after promotion are not compatible with the types of the parameters, the behavior is undefined.

Compliant Solution

In this compliant solution, the prototype for the function buginf() is included in the scope in the source file where it is used:

/* In another source file */
void buginf(const char *fmt, ...) {
   /* ... */
}

/* buginf prototype in scope in this source file */
void buginf(const char *fmt, ...);
 
void h(void) {
  buginf("bug in function %s, line %d\n", "h", __LINE__);
  /* ... */
}

Noncompliant Code Example

In this noncompliant example, the function f() is defined to take an argument of type long, but f() is called from another file with an argument of type int:

/* In another source file */
long f(long x) {
  return x < 0 ? -x : x;
}

/* In this source file, no f prototype in scope */
long f();
 
long g(int x) {
  return f(x);
}

Compliant Solution

In this compliant solution, the prototype for the function f() is included in the scope in the source file where it is used, and the function f() is correctly called with an argument of type long:

/* In another source file */
 
long f(long x) {
  return x < 0 ? -x : x;
}

/* f prototype in scope in this source file */

long f(long x); 

long g(int x) {
  return f((long)x);  
}

Noncompliant Code Example (POSIX)

The POSIX function open() [Open Group 2004] is a variadic function with the following prototype:

int open(const char *path, int oflag, ... );

The open() function accepts a third argument to determine a newly created file's access mode. If open() is used to create a new file, and the third argument is omitted, the file may be created with unintended access permissions. (See FIO06-C. Create files with appropriate access permissions.)

In this noncompliant code example from a vulnerability in the useradd() function of the shadow-utils package CVE-2006-1174, the third argument to open() has been accidentally omitted:

fd = open(ms, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC);

Note that, technically, it is also incorrect to pass a third argument to open() when not creating a new file (that is, with the O_CREAT flag not set). A POSIX implementation could, if it wished, return an EINVAL error in this case. However, in practice, it is unlikely to cause a problem.

Compliant Solution (POSIX)

To correct this example, a third argument is specified in the call to open():

#include <fcntl.h>
 
void func(const char *ms, mode_t perms) {
  /* ... */
  int fd;
  fd = open(ms, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC, perms);
  if (fd == -1) {
    /* Handle error */
  }
}

Risk Assessment

Calling a function with incorrect arguments can result in unexpected or unintended program behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP37-C

Medium

Probable

High

P4

L3

Automated Detection

ToolVersionCheckerDescription
Compass/ROSE  

Can detect some violations of this rule. In particular, it ensures that all calls to open() supply exactly two arguments if the second argument does not involve O_CREAT, and exactly three arguments if the second argument does involve O_CREAT

ECLAIR

1.2

CC2.EXP37

Partially implemented

EDG   
Fortify SCA5.0  
GCC4.3.5 

Can detect violation of this rule when the -Wstrict-prototypes flag is used. However, it cannot detect violations involving variadic functions, such as the open() example described earlier

LDRA tool suite

9.7.1

41 D
98 S
170 S
496 S
576 S

Partially implemented
PRQA QA-C
Unable to render {include} The included page could not be found.
3001
0674(C)
Partially implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[CVE]CVE-2006-1174
[ISO/IEC 9899:2011]Subclause 6.3.2.3, "Pointers"
Subclause 6.5.2.2, "Function Calls"
[Spinellis 2006]Section 2.6.1, "Incorrect Routine or Arguments"

 


  • No labels