The variable parameters of a variadic function, that function—that is, those that correspond with the position of the ellipsis, are ellipsis—are interpreted by the va_arg()
macro. The va_arg()
macro is used to extract the next argument from an initialized argument list within the body of a variadic function implementation. The size of each parameter is determined by the specified type. If the type is inconsistent with the corresponding argument, the behavior is undefined and may result in misinterpreted data or an alignment error . (See see EXP36-C. Do not convert cast pointers into more strictly aligned pointer types).)
The variable arguments to a variadic function are not checked for type by the compiler. As a result, the programmer is responsible for ensuring that they are compatible with the corresponding parameter after the default argument promotions:
...
The C printf()
function is implemented as a variadic function. This noncompliant code example swaps its null-terminated byte string and integer parameters with respect to how they are specified in the format string. Consequently, the integer is interpreted as a pointer to a null-terminated byte string and dereferenced. This , which will likely cause the program to abnormally terminate. Note that the error_message
pointer is likewise interpreted as an integer.
...
This compliant solution modifies the format string so that the conversion specifiers correspond to the arguments.:
Code Block | ||||
---|---|---|---|---|
| ||||
const char *error_msg = "Error occurred"; /* ... */ printf("%d:%s", 15, error_msg); |
...
This compliant solution adds the length modifier ll
to the %d
format specifier so that the variadic function parser for printf()
extracts the correct number of bytes from the variable argument list for the long long
argument.:
Code Block | ||||
---|---|---|---|---|
| ||||
long long a = 1; const char msg[] = "Default message"; /* ... */ printf("%lld %s", a, msg); |
Noncompliant Code Example (NULL
)
Because the The C standard allows Standard allows NULL to be either an integer constant or a pointer constant, any architecture where int
is not the same size as a pointer might present a particular vulnerability with variadic functions. If NULL
is defined as an int
on such a platform, then . While passing NULL as an argument to a function with a fixed number of arguments will cause NULL to be cast to the appropriate pointer type, when it is passed as a variadic argument, this will not happen if sizeof(NULL) != sizeof(void *)
, so variadic functions that accept an argument of pointer type will not correctly promote NULL
to the correct size. Consequently.
This is possible for several reasons:
- Pointers and ints may have different sizes on a platform where NULL is an integer constant
- The platform may have different pointer types with different sizes on a platform. In that case, if NULL is a void pointer, it is the same size as a pointer to char (C11 section 6.2.5, paragraph 28), which might be sized differently than the required pointer type.
On either such platform, the following code will have have undefined behavior:
Code Block | ||||
---|---|---|---|---|
| ||||
char* string = NULL; printf("%s %d\n", string, 1); |
On a system with 32-bit int
and 64-bit pointers, printf()
may interpret the NULL
as high-order bits of the pointer and the third argument 1
as the low-order bits of the pointer. In this case, printf()
will print a pointer with the value 0x00000001
and then attempt to read an additional argument for the %d
conversion specifier, which was not provided.
Compliant Solution (NULL
)
This compliant solution avoids sending NULL
to printf()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
char* string = NULL; printf("%s %d\n", (string ? string : "null"), 1); |
...
Inconsistent typing in variadic functions can result in abnormal program termination or unintended information disclosure.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL11-C |
High |
Probable |
High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-DCL11 | |||||||
CodeSonar |
| LANG.STRUCT.ELLIPSIS | Ellipsis | ||||||
Compass/ROSE |
Does not currently detect violations of this recommendation. Although the recommendation in general cannot be automated, because of the difficulty in enforcing contracts between a variadic function and its invokers, it would be fairly easy to enforce type correctness on arguments to the | |||||||||
| CC2.DCL11 | Partially implemented | |||||||
GCC |
|
Warns about inconsistently typed arguments to formatted output functions when the | |||||||||
Helix QAC |
| C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0206, C0207, C0208 | |||||||
Klocwork |
| MISRA.FUNC.VARARG SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD SV.FMT_STR.PRINT_FORMAT_MISMATCH.UNDESIRED SV.FMT_STR.SCAN_FORMAT_MISMATCH.BAD SV.FMT_STR.SCAN_FORMAT_MISMATCH.UNDESIRED SV.FMT_STR.PRINT_IMPROP_LENGTH SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY SV.FMT_STR.UNKWN_FORMAT.SCAN | |||||||
LDRA tool suite |
| 41 S, 589 S | Partially implemented |
Parasoft C/C++test |
|
|
0179 (U)
0184 (U)
0185 (U)
0186 (U)
0190 (U)
0191 (U)
0192 (U)
0193 (U)
0194 (U)
0195 (U)
0196 (U)
0197 (U)
0198 (U)
0199 (U)
0200 (U)
0201 (U)
0206 (U)
| CERT_C-DCL11-a |
| |||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 175, 559, 2408 | Assistance provided: reports issues involving format strings | ||||||
Polyspace Bug Finder |
| Checks for format string specifiers and arguments mismatch (rec. partially covered) | |||||||
PVS-Studio |
| V576 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.
Related Guidelines
ISO/IEC TR 24772:2013 | Type |
System [IHN] Subprogram |
Signature Mismatch [OTR] |
MISRA |
C:2012 | Rule |
17.1 (required) |
...