Unterminated variadic call¶
ID: cpp/unterminated-variadic-call
Kind: problem
Security severity: 8.8
Severity: warning
Precision: medium
Tags:
- reliability
- security
- external/cwe/cwe-121
Query suites:
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
The program calls a function that expects the variable argument list to be terminated with a sentinel value (typically NULL, 0 or -1). In this case, the sentinel value has been omitted as a final argument. This defect may result in incorrect behavior of the function and unintended stack memory access, leading to incorrect program results, instability, and even vulnerability to buffer overflow style attacks.
Recommendation¶
Each description of a defect highlighted by this rule includes a suggested value for the terminator. Check that this value is correct, then add it to the end of the call.
Example¶
#include <stdarg.h>
void pushStrings(char *firstString, ...)
{
va_list args;
char *arg;
va_start(args, firstString);
// process inputs, beginning with firstString, ending when NULL is reached
arg = firstString;
while (arg != NULL)
{
// push the string
pushString(arg);
// move on to the next input
arg = va_arg(args, char *);
}
va_end(args);
}
void badFunction()
{
pushStrings("hello", "world", NULL); // OK
pushStrings("apple", "pear", "banana", NULL); // OK
pushStrings("car", "bus", "train"); // BAD, not terminated with the expected NULL
}
In this example, the third call to pushStrings is not correctly terminated. This call should be updated to include NULL as the fourth and final argument to this call.
References¶
Common Weakness Enumeration: CWE-121.