...
Incorrectly using a variadic function can result in abnormal program termination or unintended information disclosure.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL10-C |
High |
Probable |
High | P6 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported, but no explicit checker | |||||||
Helix QAC |
| C0185, C0184 | |||||||
Klocwork |
| SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY SV.FMT_STR.SCAN_PARAMS_WRONGNUM.FEW SV.FMT_STR.SCAN_PARAMS_WRONGNUM.MANY | |||||||
LDRA tool suite |
| 41 S |
Partially implemented
0185
0184
Enhanced Enforcement | |||||||||
Parasoft C/C++test |
| CERT_C-DCL10-a | The number of format specifiers in the format string and the number of corresponding arguments in the invocation of a string formatting function should be equal | ||||||
PC-lint Plus |
| 558, 719 | Assistance provided: reports issues involving format strings | ||||||
Polyspace Bug Finder |
| Checks for format string specifiers and arguments mismatch (rec. partially covered) |
Related Guidelines
ISO/IEC TR 24772:2013 | Subprogram Signature Mismatch [OTR] |
MISRA C:2012 | Rule 17.1 (required) |
MITRE CWE | CWE-628, Function call with incorrectly specified arguments |
Bibliography
[Seacord 2013] | Chapter 6, "Formatted Output" |
...