Page History

Failure to specify function prototypes results in a function being implicitly defined. Without a function prototype, the compiler will assume the the correct number of parameters have been supplied to a function. Calling a function with a different number of arguments then that function expects results in undefined, and perhaps unintended program behavior.

CompilersC99 removed implicit function declarations from the C language [ref]. However, compilers will typically issueallow acompilation warningof whenprograms athat function iscontain implicitly defined. Althoughfunctions, these although they will issue a warning. These warnings should be resolved before proceeding \[[MSC00-A|MSC00-A. Compile cleanly at high warning levels]\], but they will not prevent program compilation []. Given this, functions should be declared with the programappropriate fromfunction compilingprototype.

Non-Compliant Code Example 1

function(1, 2);
...
int func(int one, int two, int three){
  printf("%d %d %d", one, two, three);
  return 1;
}

...

Compliant Solution

int function(int,int,int); //at top of file or in .h file
...

function(1,2); //compiler error
...
int func(int one, int two, int three){
  printf("%d %d %d", one, two, three);
  return 1;
}

Also using a compiler setting that checks for implicity declared function will prevent accidentally calling a function before it is declared.

...

Non-Compliant Code Example 2

function(1, 2);
...
int func(int one, int two, int three){
  printf("%d %d %d", one, two, three);
  return 1;
}

Examples of vulnerabilities with CVE entry number

CVE-2002-1236, CAN-2003-0422 - CGI crashes when called without any arguments

...

CAN-2002-0596 - GET reqeust with empty parameter leads to error message infoleak (path disclosure)

Risk Assesment

References

• http://cwe.mitre.org/
• http://cve.mitre.org/ISO/IEC 9899 Common Warnings 2