Page History

Wiki MarkupVariadic functions provide the ability to specify a variable number of arguments to a function, but they can be problematic. Variadic functions contain an implicit contract between the function writer and the function user that must be made to establish how many arguments are passed on an invocation (\[Seacord\]). Variadic functions can also be unsafe because the macros used to process the argument list circumvent the C type system. If care is not exercised when invoking a variadic function to ensure that it knows when to stop processing arguments or that the argument it is processing is the right fundamental type, there may be dangerous consequences.functions accept a variable number of arguments but are problematic. Variadic functions define an implicit contract between the function writer and the function user that allows the function to determine the number of arguments passed in any particular invocation. Failure to enforce this contract may result in undefined behavior. See undefined behavior 141 of Appendix J of the C Standard.

Argument Processing

In the following code example, a the variadic function called average() (taken from an article written by Robert Seacord for Linux World Magazine on variadic functions) is used to determine calculates the average value of its passed the positive integer arguments passed to the function [Seacord 2013]. The function will stop processing processes arguments when it sees that the argument is -1until it encounters an argument with the value of va_eol (-1).

enum { va_eol = -1 };

unsigned int average(int first, ...) {
  unsigned int count = 0;
  unsigned int sum = 0;
  int i = first;
  va_list markerargs;

  va_start(markerargs, first);

  while (i != -1va_eol) {
    sum += i;
    count++;
    i = va_arg(markerargs, int);
  }

  va_end(markerargs);
  return(sumcount ? (sum / count) : 0);
}

Note that va_start() must always be called to initialize the argument list and that va_end() must be called when finished with a variable argument list.

Noncompliant Code Example

In this noncompliant code example, the average() However, if the function is called as follows:

  int avg = average(1, 4, 6, 4, 1);

The omission of the -1 va_eol terminating value means that on some architectures, the function will continue to grab process values from the stack until it either hits a -1 encounters a va_eol by coincidence , or until it is terminated.

In the following line of code, which is an actual vulnerability in an implementation of a useradd function from the shadow-utils package, the POSIX function open() (which is implemented as a variadic function) is called missing an argument. If the stack is maliciously manipulated, the missing argument, which controls access permissions, could be set to a value that allows for an unauthorized user to read or modify data.

fd = open(ms, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC);

The C99 function printf() is also implemented as a variadic function, if care is not taken to ensure that the conversion specifiers to printf() match up with the type of the intended parameter, the result may be abnormal program termination.

The following code swaps its null terminated byte string and integer parameters with respect to how they were specified in the format string. This means that the integer will be silently casted into a pointer to a null terminated byte string and then dereferenced, possibly causing the program to abnormally terminate (error_message pointer will likewise be silently converted into an integer).

or an error occurs.

Compliant Solution

This compliant solution enforces the contract by adding va_eol as the final argument:

int avg = average(1, 4, 6, 4, 1, va_eol);

Noncompliant Code Example

Another common mistake is to use more conversion specifiers than supplied arguments, as shown in this noncompliant code example:

const char 

char const *error_msg = "Error occurredResource not available to user.";
/* ... */
printf("Error (%s):%d %s", 15, error_messagemsg);

As shown, care should be taken that the arguments passed to a format string function match up with the supplied format string.

Another common mistake is to use more format specifiers than supplied arguments. This results in undefined behavior, which could end up pulling extra values off the stack and unintentionally exposing data.

This code results in nonexistent arguments being processed by the function, potentially leaking information about the process.

Compliant Solution

This compliant solution matches the number of format specifiers with the number of variable arguments:

const char

char const *error_msg = "Resource not available to user.";
/* ... */
printf("Error (%s): %s", error_msg);

Argument List Caveats

C functions that accept the variadic primitive va_list as an argument pose an additional risk. Calls to vfprintf(), vfscanf(), vprintf(), vscanf(), vsnprintf(), vsprintf(), and vsscanf() use the va_arg() macro, invalidating the parameterized va_list. Consequently, once a va_list is passed as an argument to any of these functions, it cannot be used again without a call to va_end() followed by a call to va_start().

Risk Assessment

Incorrectly using a variadic function can result in abnormal program termination or unintended information disclosure.

References

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

Related Guidelines

Bibliography

...

Image Added Image Added Image Added Wiki Markup\[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 7.15, "Variable arguments"