SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 101

changes.mady.by.user Roberto Bagnara

Saved on

compared with

New Version 102

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this compliant solution, the function pointer fp points to a function returning char *, with the correct number and type of arguments.:

Code Block
bgColor#ccccff
langc
#include <string.h>

char *(*fp) (const char *, int);

int main(void) {
  char *c;
  fp = strchr;
  c = fp("Hello",'H');
  printf("%s\n", c);
  return 0;
}

...

In this noncompliant example, the function copy() is defined to take two arguments but is called with three arguments.:

Code Block
bgColor#FFCCCC
langc
/* in another source file */
void copy(char *dst, const char *src) {
  if (!strcpy(dst, src)) {
    /* report error */
  }
}
 
/* in this source file -- no copy prototype in scope */
void copy();
 
void g(const char *s) {
  char buf[20];
  copy(buf, s, sizeof buf);  /* violation */
  /* ... */
}

...

In this compliant solution, the prototype for the copy() function is included in the scope in the source file where it is used, and the copy() function is passed the correct number and type of arguments.:

Code Block
bgColor#ccccff
langc
/* in another source file */
void copy(char *dst, const char *src) {
  if (!strcpy(dst, src)) {
    /* report error */
  }
}
 
/* copy prototype in scope in this source file  */
void copy(char *dst, const char *src);
 
void g(const char *s) {
  char buf[20];
  copy(buf, s); 
  /* ... */
}

...

In this noncompliant example, the function buginf() is defined to take a variable number of arguments but is declared in another file with no prototype and is called.:

Code Block
bgColor#FFCCCC
langc
/* in another source file */
void buginf(const char *fmt, ...) {
   /* ... */
}

/* in this source file -- no buginf prototype in scope */
void buginf();
 
void h(void) {
  buginf("bug in function %s, line %d\n", __func__, __LINE__);  /* violation */
  /* ... */
}

...

In this compliant solution, the prototype for the function buginf() is included in the scope in the source file where it is used.:

Code Block
bgColor#ccccff
langc
/* in another source file */
void buginf(const char *fmt, ...) {
   /* ... */
}

/* buginf prototype in scope in this source file */

void buginf(const char *fmt, ...);
 
void h(void) {
  buginf("bug in function %s, line %d\n", __func__, __LINE__); 
  /* ... */
}

...

In this noncompliant example, the function f() is defined to take an argument of type long, but f() is called from another file with an argument of type int.:

Code Block
bgColor#FFCCCC
langc
/* in another source file */
 
long f(long x) {
  return x < 0 ? -x : x;
}

/* in this source file -- no f prototype in scope */
 
int g(int x) {
  return f(x);  /* violation */
}

...

In this compliant solution, the prototype for the function f() is included in the scope in the source file where it is used, and the function f() is correctly called with an argument of type int.:

Code Block
bgColor#ccccff
langc
/* in another source file */
 
long f(long x) {
  return x < 0 ? -x : x;
}

/* f prototype in scope in this source file */

long f(long x); 

int g(long x) {
  return f(x);  
}

...

In this noncompliant code example from a vulnerability in the useradd() function of the shadow-utils package CVE-2006-1174, the third argument to open() has been accidentally omitted.:

Code Block
bgColor#ffcccc
langc
fd = open(ms, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC);

...

To correct this example, a third argument is specified in the call to open().:

Code Block
bgColor#ccccff
langc
/* ... */
fd = open(ms, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC, file_access_permissions);
if (fd == -1){
  /* Handle error */
}
/* ... */

...

ToolVersionCheckerDescription
Compass/ROSE  

can detect some violations of this rule. In particular, it ensures that all calls to open() supply exactly two arguments if the second argument does not involve O_CREAT, and exactly three arguments if the second argument does involve O_CREAT.

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

callargs

Partially implemented.

EDG   
Fortify SCA5.0  
GCC
Include Page
GCC_V
GCC_V
 

Can detect violation of this rule when the -Wstrict-prototypes flag is used. However, it cannot detect violations involving variadic functions, such as the open() example described earlier.

LDRA tool suite

Include Page
LDRA_V
LDRA_V

41 D
98 S
170 S
496 S
576 S

Partially implemented.
PRQA QA-C
Include Page
PRQA_V
PRQA_V
3001
0674(C)
Partially implemented.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C++ Secure Coding StandardEXP37-CPP. Call variadic functions with the arguments intended by the API
ISO/IEC TR 24772:2013Subprogram Signature Mismatch [OTR]
ISO/IEC TS 17961 (Draft)Calling functions with incorrect arguments [argcomp]
MISRA -CC:2012Rule 8.2 (required)
Rule 16.617.3 (mandatory)
MITRE CWECWE-628, Function call with incorrectly specified arguments

...