SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 25

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 26

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Variadic functions can accept a variable number of arguments, but are problematic. Variadic functions define an implicit contract between the function writer and the function user that allows the function to determine the number of arguments passed passed in any particular invocation. Failure to exercise care when invoking a variadic function to ensure that it knows when to stop processing arguments , or incorrect management of the argument list, may result in stack corruptionundefined behavior.

Argument Processing

Wiki Markup
In the following code example, the variadic function {{average()}} is used to determine the average value of its passed integer arguments \[[Seacord 05c|AA. C References#Seacord 05c]\].  The function processes arguments until it finds one with a value of {{\-1}}.

...

In the following line of code from a vulnerabilityin vulnerability in an implementation of a useradd() function from the shadow-utils package, the POSIX function open() (which is implemented as a variadic function) is called missing an argument CVE-2006-1174 . If the stack is manipulated by an attacker, the missing argument, which controls access permissions, can be set to a value that allows for an unauthorized user to read or modify data.

...

Code Block
bgColor#ffcccc
const char *error_msg = "Resource not available to user.";
/* ... */
printf("Error (%s): %s", error_msg);

Argument List Caveats

C99 functions that accept the variadic primitive va_list as an argument pose an additional risk. Calls to vfprintf(), vfscanf(), vprintf(), vscanf(), vsnprintf(), vsprintf(), and vsscanf() use the va_arg() macro, invalidating the parameterized va_list. Consequently, once a va_list is passed as an argument to any of these functions, it cannot be used again except in a call to the va_end() macro.

Risk Assessment

Incorrectly using a variadic function can result in abnormal program termination or unintended information disclosure.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL10-A

2 (medium)

2 (probable)

2 (medium)

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.15, "Variable arguments"; 7.19.6.8 "The {{vfprintf}} function"
\[[Seacord 05c|AA. C References#Seacord 05c]\]