SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 93

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 94

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not call a function with the wrong number or type of arguments. 

The C Standard identifies four distinct situations in which undefined behavior may arise as a result of invoking a function using a declaration that is incompatible with its definition or with incorrect types or numbers of arguments:

UBDescription

26

A pointer is used to call a function whose type is not compatible with the pointed-to type (6.3.2.3).

38

For a call to a function without a function prototype in scope, the number of arguments does not equal the number of parameters (6.5.2.2).

39

For call to a function without a function prototype in scope where the function is defined with a function prototype, either the prototype ends with an ellipsis or the types of the arguments after promotion are not compatible with the types of the parameters (6.5.2.2).

41

A function is defined with a type that is not compatible with the type (of the expression) pointed to by the expression that denotes the called function (6.5.2.2).

...

(See also undefined behavior 26 in Annex J of the C Standard.)

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
#include <string.h>

char *(*fp) ();

int main(void) {
  char *c;
  fp = strchr;
  c = fp(12, 2);
  printf("%s\n", c);
  return 0;
}

...

Can detect violation of this rule when the -Wstrict-prototypes flag is used. However, it cannot detect violations involving variadic functions, such as the open() example described earlier.
ToolVersionCheckerDescriptionGCC
Include Page
GCC_VGCC_V 
Compass/ROSE  

can detect some violations of this rule. In particular, it ensures that all calls to open() supply exactly two arguments if the second argument does not involve O_CREAT, and exactly three arguments if the second argument does involve O_CREAT.

EDG   
Fortify SCA5.0  
GCC
Include Page
GCC_V
GCC_V
 

Can detect violation of this rule when the -Wstrict-prototypes flag is used. However, it cannot detect violations involving variadic functions, such as the open() example described earlier.

LDRA tool suite

Include Page
LDRA_V
LDRA_V

41 D
98 S
170 S
496 S
576 S

Partially implemented.
PRQA QA-C
Include Page
PRQA_V
PRQA_V
3001
0674(C)  
Partially implemented.
Fortify SCAV. 5.0  
EDG   

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

]Subprogram signature mismatch [OTR
CERT C++ Secure Coding StandardEXP37-CPP. Call variadic functions with the arguments intended by the API
ISO/IEC TR 24772Subprogram signature mismatch [OTR]
ISO/IEC TS 17961(Draft) Calling functions with incorrect arguments [argcompISO/IEC TR 24772]
MISRA-CRule 16.6 (required): The number of arguments passed to a function shall match the number of parameters
MITRE CWECWE-628, Function call with incorrectly specified arguments

...

[CVE]CVE-2006-1174
[ISO/IEC 9899:2011]Foreword and Section 6.93.2.13, "Function DefinitionsPointers"
[Spinellis 2006]Section 2.6.1, "Incorrect Routine or Arguments"

...