...
Noncompliant Code Example (NULL
)
Because the The C Standard allows Standard allows NULL to be either an integer constant or a pointer constant, any architecture in which int
is not the same size as a pointer might present a particular vulnerability with variadic functions. If NULL
is defined as an int
on such a platform, then . While passing NULL as an argument to a function with a fixed number of arguments will cause NULL to be cast to the appropriate pointer type, when it is passed as a variadic argument, this will not happen if sizeof(NULL) != sizeof(void *)
, so variadic functions that accept an argument of pointer type will not correctly promote NULL
to the correct size. Consequently.
This is possible for several reasons:
- Pointers and ints may have different sizes on a platform where NULL is an integer constant
- The platform may have different pointer types with different sizes on a platform. In that case, if NULL is a void pointer, it is the same size as a pointer to char (C11 section 6.2.5, paragraph 28), which might be sized differently than the required pointer type.
On either such platform, the following code will have have undefined behavior:
Code Block | ||||
---|---|---|---|---|
| ||||
char* string = NULL; printf("%s %d\n", string, 1); |
...
Inconsistent typing in variadic functions can result in abnormal program termination or unintended information disclosure.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL11-C | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-DCL11 | |||||||
CodeSonar |
| LANG.STRUCT.ELLIPSIS | Ellipsis | ||||||
Compass/ROSE |
Does not currently detect violations of this recommendation. Although the recommendation in general cannot be automated, because of the difficulty in enforcing contracts between a variadic function and its invokers, it would be fairly easy to enforce type correctness on arguments to the | |||||||||
| CC2.DCL11 | Partially implemented | |||||||
GCC |
|
Warns about inconsistently typed arguments to formatted output functions when the | |||||||||
Helix QAC |
| C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0206, C0207, C0208 | |||||||
Klocwork |
| MISRA.FUNC.VARARG SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD SV.FMT_STR.PRINT_FORMAT_MISMATCH.UNDESIRED SV.FMT_STR.SCAN_FORMAT_MISMATCH.BAD SV.FMT_STR.SCAN_FORMAT_MISMATCH.UNDESIRED SV.FMT_STR.PRINT_IMPROP_LENGTH SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY SV.FMT_STR.UNKWN_FORMAT.SCAN | |||||||
LDRA tool suite |
| 41 S, 589 S | Partially implemented | ||||||
Parasoft |
C/C++test |
|
0179 (U)
0184 (U)
0185 (U)
0186 (U)
0190 (U)
0191 (U)
0192 (U)
0193 (U)
0194 (U)
0195 (U)
0196 (U)
0197 (U)
0198 (U)
0199 (U)
0200 (U)
0201 (U)
0206 (U)
0207
0208
| CERT_C-DCL11-a |
| |||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 175, 559, 2408 | Assistance provided: reports issues involving format strings | ||||||
Polyspace Bug Finder |
| Checks for format string specifiers and arguments mismatch (rec. partially covered) | |||||||
PVS-Studio |
| V576 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.
Related Guidelines
ISO/IEC TR 24772:2013 | Type System [IHN] Subprogram Signature Mismatch [OTR] |
MISRA C:2012 | Rule 17.1 (required) |
...
...