...
Because C99 allows NULL to be either an integer constant or a pointer constant, any architecture where int is not the same size as a pointer might present a particular vulnerability with variadic functions. If NULL is defined as an int on such a platform, then sizeof(NULL) != sizeof(void *). Consequently, variadic functions that accept an argument of pointer type will not correctly promote NULL to the correct size. Consequently, the following code will have undefined behavior:
| Code Block | ||
|---|---|---|
| ||
printf("%s %p %d\n", NULL, 1)char* string = NULL; printf("%s %d\n", NULLstring, 1); |
On a system with 32-bit int and 64-bit pointers, printf() may interpret the NULL as high-order bits of the pointer and the third argument 1 as the low-order bits of the pointer. In this case, printf() will print a pointer with the value 0x00000001 and then attempt to read an additional argument for the %d conversion specifier which was not provided.
Compliant Solution (NULL)
In this This compliant solution , avoids sending NULL is cast to the appropriate type before passing it as an argument to a variadic function to printf().
| Code Block | ||
|---|---|---|
| ||
char* string = NULL; printf("%s %p %d\n", (void *)NULL, 1); printf("%s\n", (char *)NULLstring ? string : "null"), 1); |
Risk Assessment
Inconsistent typing in variadic functions can result in abnormal program termination or unintended information disclosure.
...