Variadic functions can accept a variable number of arguments , but are problematic. Variadic functions define an implicit contract between the function writer and the function user that allows the function to determine the number of arguments passed passed in any particular invocation. Failure to exercise care when invoking a variadic function to ensure that it knows when to stop processing arguments, or incorrect management of the argument list, may result in stack corruptionenforce this contract may result in undefined behavior. See undefined behavior 141 of Appendix J of the C Standard.
Argument Processing
...
In the following code example, the variadic function {{average()
}} is used to determine the average value of its passed integer arguments \[[Seacord 05c|AA. C References#Seacord 05c]\]. The function processes arguments until it finds one with a value of {{\-1}}. calculates the average value of the positive integer arguments passed to the function [Seacord 2013]. The function processes arguments until it encounters an argument with the value of va_eol
(-1
).
Code Block |
---|
enum { va_eol = -1 };
unsigned |
Code Block |
int average(int first, ...) { unsigned size_tint count = 0; unsigned int sum = 0; int i = first; va_list markerargs; va_start(markerargs, first); while (i != -1va_eol) { sum += i; count++; i = va_arg(markerargs, int); } va_end(markerargs); return(count ? (sum / count) : 0); } |
Note that va_start()
must be called to initialize the argument list and that va_end()
must always be called when finished with a variable argument list.
Noncompliant Code Example
In this noncompliant code example, the average()
However, if the function is called as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
int avg = average(1, 4, 6, 4, 1);
|
The omission of the -1
va_eol
terminating value means that on some architectures, the function will continue to grab process values from the stack until it either hits a -1
encounters a va_eol
by coincidence , or until it is terminated.
In the following line of code from a vulnerabilityin an implementation of a useradd()
function from the shadow-utils
package, the POSIX function open()
(which is implemented as a variadic function) is called missing an argument CVE-2006-1174 . If the stack is manipulated by an attacker, the missing argument, which controls access permissions, can be set to a value that allows for an unauthorized user to read or modify data.
Code Block | ||
---|---|---|
| ||
fd = open(ms, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC);
|
or an error occurs.
Compliant Solution
This compliant solution enforces the contract by adding va_eol
as the final argument:
Code Block | ||||
---|---|---|---|---|
| ||||
int avg = average(1, 4, 6, 4, 1, va_eol);
|
Noncompliant Code Example
Another common mistake is to use more format conversion specifiers than supplied arguments, as shown in this noncompliant code example:
Code Block | ||||
---|---|---|---|---|
| ||||
const char *error_msg = "Resource not available to user."; /* ... */ printf("Error (%s): %s", error_msg); |
This code results in nonexistent arguments being processed by the function, potentially leaking information about the process.
Compliant Solution
This compliant solution matches the number of format specifiers with the number of variable arguments This results in undefined behavior, which could end up pulling extra values off the stack and unintentionally exposing data. The following example illustrates a case of this:
Code Block | ||||
---|---|---|---|---|
| ||||
const char *error_msg = "Resource not available to user."; /* ... */ printf("Error (%s): %s", error_msg); |
Argument List Caveats
C99 C functions that accept the variadic primitive va_list
as an argument pose an additional risk. Calls to vfprintf()
, vfscanf()
, vprintf()
, vscanf()
, vsnprintf()
, vsprintf()
, and vsscanf()
use the va_arg()
macro, invalidating the parameterized va_list
. Consequently, once a va_list
is passed as an argument to any of these functions, it cannot be used again except in without a call to the va_end()
macro followed by a call to va_start()
.
Risk Assessment
Incorrectly using a variadic function can result in abnormal program termination or unintended information disclosure.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL10- |
2 (medium)
2 (probable)
2 (medium)
C | High | Probable | High | P6 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported, but no explicit checker | |||||||
Helix QAC |
| C0185, C0184 | |||||||
Klocwork |
| SV. |
...
FMT_STR.PRINT_PARAMS_WRONGNUM.FEW SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY SV.FMT_STR.SCAN_PARAMS_WRONGNUM.FEW SV.FMT_STR.SCAN_PARAMS_WRONGNUM.MANY | |||||||||
LDRA tool suite |
| 41 S | Enhanced Enforcement | ||||||
Parasoft C/C++test |
| CERT_C-DCL10-a | The number of format specifiers in the format string and the number of corresponding arguments in the invocation of a string formatting function should be equal | ||||||
PC-lint Plus |
| 558, 719 | Assistance provided: reports issues involving format strings | ||||||
Polyspace Bug Finder |
| Checks for format string specifiers and arguments mismatch (rec. partially covered) |
Related Guidelines
ISO/IEC TR 24772:2013 | Subprogram Signature Mismatch [OTR] |
MISRA C:2012 | Rule 17.1 (required) |
MITRE CWE | CWE-628, Function call with incorrectly specified arguments |
Bibliography
[Seacord 2013] | Chapter 6, "Formatted Output" |
...
References
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.15, "Variable arguments"; 7.19.6.8 "The {{vfprintf}} function"
\[[Seacord 05c|AA. C References#Seacord 05c]\] Wiki Markup