Function declarators must be declared with the appropriate type information, including a return type and parameter list. If type information is not properly specified in a function declarator, the compiler cannot properly check function type information. When using standard library calls, the easiest (and preferred) way to obtain function declarators with appropriate type information is to include the appropriate header file.
Attempting to compile a program with a function declarator that does not include the appropriate type information typically generates a warning but does not prevent program compilation. These warnings should be resolved. (See MSC00-C. Compile cleanly at high warning levels.)
Noncompliant Code Example (Non-Prototype-Format Declarators)
This noncompliant code example uses the identifier-list form for parameter declarations:
Code Block | ||||
---|---|---|---|---|
| ||||
int max(a, b)
int a, b;
{
return a > b ? a : b;
}
|
Subclause 6.11.7 of the C Standard [ISO/IEC 9899:2011] states that "the use of function definitions with separate parameter identifier and declaration lists (not prototype-format parameter type and identifier declarators) is an obsolescent feature."
Compliant Solution (Non-Prototype-Format Declarators)
In this compliant solution, int
is the type specifier, max(int a, int b)
is the function declarator, and the block within the curly braces is the function body:
Code Block | ||||
---|---|---|---|---|
| ||||
int max(int a, int b) {
return a > b ? a : b;
}
|
Noncompliant Code Example (Function Prototypes)
Declaring a function without any prototype forces the compiler to assume that the correct number and type of parameters have been supplied to a function. This practice can result in unintended and undefined behavior.
In this noncompliant code example, the definition of func()
in file_a.c
expects three parameters but is supplied only two:
Code Block | ||||
---|---|---|---|---|
| ||||
/* file_a.c source file */
int func |
Failure to specify function prototypes results in a function being implicitly defined. Without a function prototype, the compiler must estimate the correct number of parameters supplied to a function. Calling a function with a different number of arguments then that function expects results in unintended program behavior.
Wiki Markup |
---|
Most compilers will issue a warning when a function is implicitly defined. Although, these warnings should be resolved before proceeding \[MSC00-C\], they will not prevent the program from compiling. |
Non-Compliant Code Example
Code Block | ||
---|---|---|
| ||
function(1, 2); ... void function(int one, int two, int three){ printf("args%d %d %d $d", one, two, three); return 1; } |
Solution: Use function prototypes at the top of .c file or in a .h file so that a compiler error will occur if an incorrect number of arguments are used.
However, because there is no prototype for func()
in file_b.c
, the compiler assumes that the correct number of arguments has been supplied and uses the next value on the program stack as the missing third argument:
Code Block | ||||
---|---|---|---|---|
| ||||
/* file_b.c source file */
func(1, 2);
|
C99 eliminated implicit function declarations from the C language. However, many compilers still allow the compilation of programs containing implicitly declared functions, although they may issue a warning message. These warnings should be resolved. (See MSC00-C. Compile cleanly at high warning levels.)
Compliant Solution (Function Prototypes)
This compliant solution correctly includes the function prototype for func()
in the compilation unit in which it is invoked, and the function invocation has been corrected to pass the right number of arguments:
Code Block | ||||
---|---|---|---|---|
| ||||
/* file_b.c source file */
int func(int, int, int);
func(1, 2, 3);
|
Noncompliant Code Example (Function Pointers)
If a function pointer refers to an incompatible function, invoking that function via the pointer may corrupt the process stack. As a result, unexpected data may be accessed by the called function.
In this noncompliant code example, the function pointer fn_ptr
refers to the function add()
, which accepts three integer arguments. However, fn_ptr
is specified to accept two integer arguments. Setting fn_ptr
to refer to add()
results in unexpected program behavior. This example also violates EXP37-C. Call functions with the correct number and type of arguments:
Code Block | ||||
---|---|---|---|---|
| ||||
int add(int x, int y, int z) {
return x + y + z;
}
int main(int argc, char *argv[]) {
int (*fn_ptr) (int, int);
int res;
fn_ptr = add;
res = fn_ptr(2, 3); /* Incorrect */
/* ... */
return 0;
}
|
Compliant Solution (Function Pointers)
To correct this example, the declaration of fn_ptr
is changed to accept three arguments:
...
Code Block | ||||
---|---|---|---|---|
| ||||
int add void function(int onex, int twoy, int three); //at top of file or in .h file ... function(1,2) //compiler error |
Also using a compiler setting that checks for implicity declared function will prevent accidentally calling a function before it is declared.
gcc 3.4.6 for example will not allow the non compliant code above however below are reports on how the missing parameter problem has caused vulnerabilities.
Examples of vulnerabilities with CVE entry number
CVE-2002-1236, CAN-2003-0422 - CGI crashes when called without any arguments
CVE-2002-1531, CAN-2002-1077 - crash in HTTP request without a Content-Length field
CAN-2002-1358 - empty elements/strings in protocol test suite affect many SSH2 servers/clients
CAN-2003-0477 - FTP server crashes in PORT command without an argument
CVE-2002-0107 - resultant infoleak in web server via GET requests without HTTP/1.0 version string
CAN-2002-0596 - GET reqeust with empty parameter leads to error message infoleak (path disclosure)
Risk Assesment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRAFT | 2 (medium) | 3 (likely) | 2 (medium) | P12 | L1 |
References
z) {
return x + y + z;
}
int main(int argc, char *argv[]) {
int (*fn_ptr) (int, int, int) ;
int res;
fn_ptr = add;
res = fn_ptr(2, 3, 4);
/* ... */
return 0;
}
|
Risk Assessment
Failing to include type information for function declarators can result in unexpected or unintended program behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL07-C | Low | Unlikely | Low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| function-prototype implicit-function-declaration | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC-DCL07 | |||||||
CodeSonar |
| LANG.FUNCS.PROT LANG.STRUCT.DECL.IMPT | Incomplete function prototype Implicit Type | ||||||
| CC2.DCL07 | Fully implemented | |||||||
GCC |
| Can detect violation of this recommendation when the | |||||||
Helix QAC |
| C1304, C2050, C3331, C3335, C3408, C3450 | |||||||
Klocwork |
| MISRA.FUNC.PROT_FORM.KR.2012 MISRA.FUNC.NOPROT.DEF MISRA.CAST.FUNC_PTR.2012 | |||||||
LDRA tool suite |
| 21 S | Fully implemented | ||||||
PC-lint Plus |
| 718, 746, 936, 9074 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rec. fully covered. | |||||||
RuleChecker |
| function-prototype implicit-function-declaration | Partially checked | ||||||
SonarQube C/C++ Plugin |
| S819, S930 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC TR 24772:2013 | Type System [IHN] Subprogram Signature Mismatch [OTR] |
ISO/IEC TS 17961 | Using a tainted value as an argument to an unprototyped function pointer [taintnoproto] |
MISRA C:2012 | Rule 8.2 (required) |
Bibliography
[ISO/IEC 9899:2011] | Subclause 6.11.7, "Function Definitions" |
[Spinellis 2006] | Section 2.6.1, "Incorrect Routine or Arguments" |
...
...