SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 90

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The variable parameters of a variadic function, that function—that is, those that correspond with the position of the ellipsis, are ellipsis—are interpreted by the va_arg() macro. The va_arg() macro is used to extract the next argument from an initialized argument list within the body of a variadic function implementation. The size of each parameter is determined by the specified type. If the type is inconsistent with the corresponding argument, the behavior is undefined and may result in misinterpreted data or an alignment error . (See see EXP36-C. Do not convert cast pointers into more strictly aligned pointer types).)

The variable arguments to a variadic function are not checked for type by the compiler. As a result, the programmer is responsible for ensuring that they are compatible with the corresponding parameter after the default argument promotions:

...

The C printf() function is implemented as a variadic function. This noncompliant code example swaps its null-terminated byte string and integer parameters with respect to how they are specified in the format string. Consequently, the integer is interpreted as a pointer to a null-terminated byte string and dereferenced. This , which will likely cause the program to abnormally terminate. Note that the error_message pointer is likewise interpreted as an integer.

...

This compliant solution modifies the format string so that the conversion specifiers correspond to the arguments.:

Code Block
bgColor#ccccff
langc
const char *error_msg = "Error occurred";
/* ... */
printf("%d:%s", 15, error_msg);

...

This compliant solution adds the length modifier ll to the %d format specifier so that the variadic function parser for printf() extracts the correct number of bytes from the variable argument list for the long long argument.:

Code Block
bgColor#ccccff
langc
long long a = 1;
const char msg[] = "Default message";
/* ... */
printf("%lld %s", a, msg);

Noncompliant Code Example (NULL)

Because the The C standard allows Standard allows NULL to be either an integer constant or a pointer constant, any architecture where int is not the same size as a pointer might present a particular vulnerability with variadic functions. If NULL is defined as an int on such a platform, then . While passing NULL as an argument to a function with a fixed number of arguments will cause NULL to be cast to the appropriate pointer type, when it is passed as a variadic argument, this will not happen if sizeof(NULL) != sizeof(void *), so variadic functions that accept an argument of pointer type will not correctly promote NULL to the correct size. ConsequentlyThis is possible for several reasons:

  • Pointers and ints may have different sizes on a platform where NULL is an integer constant
  • The platform may have different pointer types with different sizes on a platform. In that case, if NULL is a void pointer, it is the same size as a pointer to char (C11 section 6.2.5, paragraph 28), which might be sized differently than the required pointer type.

On either such platform, the following code will have have undefined behavior:

Code Block
bgColor#ffcccc
langc
char* string = NULL;
printf("%s %d\n", string, 1);

On a system with 32-bit int and 64-bit pointers, printf() may interpret the NULL as high-order bits of the pointer and the third argument 1 as the low-order bits of the pointer. In this case, printf() will print a pointer with the value 0x00000001 and then attempt to read an additional argument for the %d conversion specifier, which was not provided.

Compliant Solution (NULL)

This compliant solution avoids sending NULL to printf().:

Code Block
bgColor#ccccff
langc
char* string = NULL;
printf("%s %d\n", (string ? string : "null"), 1);

...

Inconsistent typing in variadic functions can result in abnormal program termination or unintended information disclosure.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL11-C

high

High

probable

Probable

high

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

GCC
Axivion Bauhaus Suite

Include Page

GCC

Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

GCC
CertC-DCL11
CodeSonar
Include Page
CodeSonar_V

 

CodeSonar_V

LANG.STRUCT.ELLIPSIS


Ellipsis

Warns about inconsistently typed arguments to formatted output functions when the -Wall is used.

Compass/ROSE

 

 



Does

NOT

not currently detect violations of this recommendation. Although the recommendation in general cannot be automated, because of the difficulty in enforcing contracts between a variadic function and its invokers, it would be fairly easy to enforce type correctness on arguments to the printf() family of functions

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.DCL11

Partially implemented

GCC
Include Page
GCC_V
GCC_V


Warns about inconsistently typed arguments to formatted output functions when the -Wall is used

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0206, C0207, C0208


Klocwork
Include Page
Klocwork_V
Klocwork_V
MISRA.FUNC.VARARG
SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD
SV.FMT_STR.PRINT_FORMAT_MISMATCH.UNDESIRED
SV.FMT_STR.SCAN_FORMAT_MISMATCH.BAD
SV.FMT_STR.SCAN_FORMAT_MISMATCH.UNDESIRED
SV.FMT_STR.PRINT_IMPROP_LENGTH
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY
SV.FMT_STR.UNKWN_FORMAT.SCAN
LDRA tool suite
Include Page
LDRA_V
LDRA_V

41 S, 589 S

Partially implemented

.PRQA QA-C

Parasoft C/C++test

Include Page

PRQA

Parasoft_V

PRQA

Parasoft_V

0179 (U)
0184 (U)
0185 (U)
0186 (U)
0190 (U)
0191 (U)
0192 (U)
0193 (U)
0194 (U)
0195 (U)
0196 (U)
0197 (U)
0198 (U)
0199 (U)
0200 (U)
0201 (U)
0206 (U)

CERT_C-DCL11-a
CERT_C-DCL11-b
CERT_C-DCL11-c
CERT_C-DCL11-d
CERT_C-DCL11-e
CERT_C-DCL11-f


There should be no mismatch between the '%s' and '%c' format specifiers in the format string and their corresponding arguments in the invocation of a string formatting function
There should be no mismatch between the '%f' format specifier in the format string and its corresponding argument in the invocation of a string formatting function
There should be no mismatch between the '%i' and '%d' format specifiers in the string and their corresponding arguments in the invocation of a string formatting function
There should be no mismatch between the '%u' format specifier in the format string and its corresponding argument in the invocation of a string formatting function
There should be no mismatch between the '%p' format specifier in the format string and its corresponding argument in the invocation of a string formatting function
The number of format specifiers in the format string and the number of corresponding arguments in the invocation of a string formatting function should be equal

Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

175, 559, 2408

Assistance provided: reports issues involving format strings

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. DCL11-C


Checks for format string specifiers and arguments mismatch (rec. partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V576
Partially implemented.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.

Related Guidelines

ISO/IEC TR 24772:2013
"IHN Type system" and "OTR Subprogram signature mismatch"MISRA-CRule 16.1

Bibliography

[ISO/IEC 9899:2011]Section 6.5.2.2, "Function Calls," and section 7.16, "Variable Arguments"

...

Type System [IHN]
Subprogram Signature Mismatch [OTR]
MISRA C:2012Rule 17.1 (required)


...

Image Modified Image Modified Image Modified