Function declarators must be declared with the appropriate type information, including a return type and parameter list. If type information is not properly specified in a function declarator, the compiler cannot properly check function type information. When using standard library calls, the easiest (and preferred) way to obtain function declarators with appropriate type information is to include the appropriate header file.
Attempting to compile a program with a function declarator that does not include the appropriate type information typically generates a warning but does not prevent program compilation. These warnings should be resolved. (See MSC00-C. Compile cleanly at high warning levels.)
Noncompliant Code Example (Non-Prototype-Format Declarators)
This noncompliant code example uses the identifier-list form for parameter declarations:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int max(a, b)
int a, b;
{
return a > b ? a : b;
}
|
Subclause 6.11.7 of the C Standard [ISO/IEC 9899:2011] states that "the use of function definitions with separate parameter identifier and declaration lists (not prototype-format parameter type and identifier declarators) is an obsolescent feature."
Compliant Solution (Non-Prototype-Format Declarators)
In this compliant solution, int is the type specifier, max(int a, int b) is the function declarator, and the block within the curly braces is the function body:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int max(int a, int b) {
return a > b ? a : b;
}
|
Noncompliant Code Example (Function Prototypes)
Declaring a function without any prototype forces the compiler to assume that the correct number and type of parameters have been supplied to a function. This practice can result in unintended and undefined behavior.
In this noncompliant code
| Wiki Markup |
|---|
C99 removed implicit function declarations from the C language \[[ISO/IEC9899-1999|AA. C References#ISO/IEC 9899-1999]\]. However, compilers will typically allow compilation of programs that contain implicitly defined functions, although they will issue a warning. These warnings should be resolved \[[MSC00-A|MSC00-A. Compile cleanly at high warning levels]\], but they will not prevent program compilation.
Failure to specify function prototypes results in a function being implicitly defined. Without a function prototype, the compiler will assume the the correct number and type of parameters have been supplied to a function. This can result in undefined, and perhaps unintended behavior. Given this, functions should be declared with the appropriate function prototype. |
Non-Compliant Code Example 1
In this example, the definition of func() in file_a.c expects three parameters but is supplied only two:
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* file_a.c source file */ int func(int one, int two, int three){ printf("%d %d %d", one, two, three); return 1; } |
However, because there is no prototype for func() in file_b.c, the compiler assumes that the correct number of parameters arguments has been supplied , using and uses the next value on the program stack as the missing third argument.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* file_b.c source file */ func function(1, 2); |
C99 eliminated implicit function declarations from the C language. However, many compilers still allow the compilation of programs containing implicitly declared functions, although they may issue a warning message. These warnings should be resolved. (See MSC00-C. Compile cleanly at high warning levels.)
Compliant Solution (Function Prototypes)
This compliant solution correctly includes the function prototype for func() in the compilation unit in which it is invoked, and the function invocation has been corrected to pass the right number of arguments:
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* file_b.c source file */ int func(int one, int two, int three){ printf("%d %d %d", one, two, three); return 1; } |
Compliant Solution
| Code Block | ||
|---|---|---|
| ||
int function(int,int,int);
...
function(1,2);
...
int func(int one, int two, int three){
printf("%d %d %d", one, two, three);
return 1;
}
|
Non-Compliant Code Example 2
| Code Block | ||
|---|---|---|
| ||
function(1, 2);
...
int func(int one, int two, int three){
printf("%d %d %d", one, two, three);
return 1;
}
|
Examples of vulnerabilities with CVE entry number
CVE-2002-1236, CAN-2003-0422 - CGI crashes when called without any arguments
CVE-2002-1531, CAN-2002-1077 - crash in HTTP request without a Content-Length field
CAN-2002-1358 - empty elements/strings in protocol test suite affect many SSH2 servers/clients
CAN-2003-0477 - FTP server crashes in PORT command without an argument
CVE-2002-0107 - resultant infoleak in web server via GET requests without HTTP/1.0 version string
CAN-2002-0596 - GET reqeust with empty parameter leads to error message infoleak (path disclosure)
Risk Assesment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRAFT | 2 (medium) | 3 (likely) | 2 (medium) | P12 | L1 |
References
;
func(1, 2, 3);
|
Noncompliant Code Example (Function Pointers)
If a function pointer refers to an incompatible function, invoking that function via the pointer may corrupt the process stack. As a result, unexpected data may be accessed by the called function.
In this noncompliant code example, the function pointer fn_ptr refers to the function add(), which accepts three integer arguments. However, fn_ptr is specified to accept two integer arguments. Setting fn_ptr to refer to add() results in unexpected program behavior. This example also violates EXP37-C. Call functions with the correct number and type of arguments:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int add(int x, int y, int z) {
return x + y + z;
}
int main(int argc, char *argv[]) {
int (*fn_ptr) (int, int);
int res;
fn_ptr = add;
res = fn_ptr(2, 3); /* Incorrect */
/* ... */
return 0;
}
|
Compliant Solution (Function Pointers)
To correct this example, the declaration of fn_ptr is changed to accept three arguments:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int add(int x, int y, int z) {
return x + y + z;
}
int main(int argc, char *argv[]) {
int (*fn_ptr) (int, int, int) ;
int res;
fn_ptr = add;
res = fn_ptr(2, 3, 4);
/* ... */
return 0;
}
|
Risk Assessment
Failing to include type information for function declarators can result in unexpected or unintended program behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL07-C | Low | Unlikely | Low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| function-prototype implicit-function-declaration | Partially checked | ||||||
| Axivion Bauhaus Suite |
| CertC-DCL07 | |||||||
| CodeSonar |
| LANG.FUNCS.PROT LANG.STRUCT.DECL.IMPT | Incomplete function prototype Implicit Type | ||||||
| CC2.DCL07 | Fully implemented | |||||||
| GCC |
| Can detect violation of this recommendation when the | |||||||
| Helix QAC |
| C1304, C2050, C3331, C3335, C3408, C3450 | |||||||
| Klocwork |
| MISRA.FUNC.PROT_FORM.KR.2012 MISRA.FUNC.NOPROT.DEF MISRA.CAST.FUNC_PTR.2012 | |||||||
| LDRA tool suite |
| 21 S | Fully implemented | ||||||
| PC-lint Plus |
| 718, 746, 936, 9074 | Fully supported | ||||||
| Polyspace Bug Finder |
| Checks for:
Rec. fully covered. | |||||||
| RuleChecker |
| function-prototype implicit-function-declaration | Partially checked | ||||||
| SonarQube C/C++ Plugin |
| S819, S930 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| ISO/IEC TR 24772:2013 | Type System [IHN] Subprogram Signature Mismatch [OTR] |
| ISO/IEC TS 17961 | Using a tainted value as an argument to an unprototyped function pointer [taintnoproto] |
| MISRA C:2012 | Rule 8.2 (required) |
Bibliography
| [ISO/IEC 9899:2011] | Subclause 6.11.7, "Function Definitions" |
| [Spinellis 2006] | Section 2.6.1, "Incorrect Routine or Arguments" |
...
...