SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 76

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 77

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An application programming interface (API) specifies how a function is intended to be called. Calling a function with incorrect arguments can result in unexpected or unintended program behavior. Functions that are appropriately declared (as in guideline recommendation DCL07-C. Include the appropriate type information in function declarators) will typically fail compilation if they are supplied with the wrong number or types of arguments. However, there are cases where supplying the incorrect arguments to a function will at best generate compiler warnings. These warnings should be resolved but do not prevent program compilation.(See guideline recommendation MSC00-C. Compile cleanly at high warning levels.)

...

The open() function accepts a third argument to determine a newly created file's access mode. If open() is used to create a new file, and the third argument is omitted, the file may be created with unintended access permissions. (See guideline recommendation FIO06-C. Create files with appropriate access permissions.)

...

Note that technically it is also incorrect to pass a third argument to open() when not creating a new file (that is, with the O_CREAT flag not set). A POSIX implementation could, if it wished, return an EINVAL error in this case. However, in practise practice it is unlikely to cause a problem.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: EXP37-CPP. Call variadic functions with the arguments intended by the API

Bibliography

Wiki Markup\[[CVE|AA. Bibliography#CVE]\] [CVE-2006-1174 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1174] \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Forward and Section 6.9.1, "Function definitions" \[[

ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] TR 24772 "OTR Subprogram Signature Mismatch"

MISRA Rule 16.6

MITRE CWE: CWE-628, "Function Call with Incorrectly Specified Arguments"

Bibliography

Wiki Markup
\[[CVE|AA. Bibliography#CVE
\[[MISRA 2004|AA. Bibliography#MISRA 04]\] Rule 16.6
\[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 628|CVE-2006-1174 | http://cwecve.mitre.org/data/definitions/628.html], "Function Call with Incorrectly Specified Arguments"cgi-bin/cvename.cgi?name=CVE-2006-1174]
\[[Spinellis 2006|AA. Bibliography#Spinellis 06]\] Section 2.6.1, "Incorrect Routine or Arguments"

...