Page History

...

Incorrectly using a variadic function can result in abnormal program termination or unintended information disclosure.

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
DCL10-C	High	Probable	High	P6	L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

Supported, but no explicit checker

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C0185, C0184

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY
SV.FMT_STR.SCAN_PARAMS_WRONGNUM.FEW
SV.FMT_STR.SCAN_PARAMS_WRONGNUM.MANY

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

41 S

Partially implemented

PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v

0185
0184

Enhanced Enforcement

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-DCL10-a

The number of format specifiers in the format string and the number of corresponding arguments in the invocation of a string formatting function should be equal

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

558, 719

Assistance provided: reports issues involving format strings

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. DCL10-C

Checks for format string specifiers and arguments mismatch (rec. partially covered)

Partially implemented

Related Guidelines

ISO/IEC TR 24772:2013	Subprogram Signature Mismatch [OTR]
MISRA C:2012	Rule 17.1 (required)
MITRE CWE	CWE-628, Function call with incorrectly specified arguments

Bibliography

[Seacord 2013]

Chapter 6, "Formatted Output"

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 93

New Version Current

Key

Related Vulnerabilities

Automated Detection

Related Guidelines

Bibliography