SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 38

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 39

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider (sch jbop) (X_X)@==(Q_Q)@

...

Another common mistake is to use more format specifiers than supplied arguments. This results in undefined behavior, which could end up pulling extra values off the stack and unintentionally exposing data. The following example illustrates a case of this:

Code Block
bgColor#ffcccc
char const char *error_msg = "Resource not available to user.";
/* ... */
printf("Error (%s): %s", error_msg);

...

The following code matches the number of format specifiers with the number of variable arguments.

Code Block
bgColor#ccccff
char const char *error_msg = "Resource not available to user.";
/* ... */
printf("Error: %s", error_msg);

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL10-A

2 ( medium ) 2 (

probable )

2 ( medium )

P8

L2

Related Vulnerabilities

...