An application programming interface (API) specifies how a function is intended to be called. Calling a function with incorrect arguments can result in unexpected or unintended program behavior. Functions that are appropriately declared (as in DCL07-C. Include the appropriate type information in function declarators) will typically fail compilation if they are supplied with the wrong number or types of arguments. However, there are cases where supplying the incorrect arguments to a function will at best generate compiler warnings. These warnings should be resolved but do not prevent program compilation.(See MSC00-C. Compile cleanly at high warning levels.)
Noncompliant Code Example (Function Pointers)
...
The POSIX function open() [Open Group 2004] is a variadic function with the following prototype:
...
The open() function accepts a third argument to determine a newly created file's access mode. If open() is used to create a new file, and the third argument is omitted, the file may be created with unintended access permissions. (See FIO06-C. Create files with appropriate access permissions.)
In this noncompliant code example from a vulnerability in the useradd() function of the shadow-utils package CVE-2006-1174 , the third argument to open() has been accidentally omitted.
...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| GCC |
| Can detect violation of this rule when the | |||||||
| Compass/ROSE | can detect some violations of this rule. In particular, it ensures that all calls to | ||||||||
| 41 D | Partially implemented. | |||||||
| PRQA QA-C |
| 3001 | Partially implemented |
Related Vulnerabilities
...
ISO/IEC TR 17961 (Draft) Calling functions with incorrect arguments [argcomp]
ISO/IEC TR 24772 "OTR Subprogram signature mismatch"
MISRA Rule 16.6
MITRE CWE: CWE-628, "Function call with incorrectly specified arguments"
Bibliography
[CVE] CVE-2006-1174
[Spinellis 2006] Section 2.6.1, "Incorrect routine or arguments"
...