Page History

The C Standard Library standard library macro va_start() defines several semantic restrictions on the value of its second parameter. The C Standard, subclause 7.16.1.4, paragraph 4 [ISO/IEC 9899:2011], states:

The parameter parmN is the identifier of the rightmost parameter in the variable parameter list in the function definition (the one just before the , ...). If the parameter parmN is declared with the register storage class, with a function or array type, or with a type that is not compatible with the type that results after application of the default argument promotions, the behavior is undefined.

...

The primary differences between the semantic requirements are as follows:

• You must not pass a reference type as the second argument to va_start().
• Passing a nontrivially - copyable type as the second argument to va_start is conditionally - supported with implementation-defined semantics ([expr.call] paragraph 7).
• You may pass a parameter declared with the register keyword ([dcl.stc] paragraph 3) , or a parameter with a function type.
  

Passing an array type still produces undefined behavior in C++ because an array type as a function parameter requires use of a reference, which is prohibited.

...

In this noncompliant code example, a nontrivially - copyable type is passed as the second argument to va_start(), which is conditionally supported depending on the implementation:

#include <cstdarg>
#include <iostream>
#include <string>
 
void f(std::string s, ...) {
  va_list list;
  va_start(list, s);
  std::cout << s << ", " << va_arg(list, int);
  va_end(list);
}

...

Risk Assessment

Passing a reference type , or nontrivially - copyable type as the second argument to va_start() can result in undefined behavior that might be exploited to cause data integrity violations.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

Bibliography

...