Call to function with fewer arguments than declared parameters¶
ID: cpp/too-few-argumentsKind: problemSecurity severity: 5.0Severity: errorPrecision: very-highTags: - correctness - maintainability - security - external/cwe/cwe-234 - external/cwe/cwe-685Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
A function is called with fewer arguments than there are parameters of the function.
This may indicate that an incorrect function is being called, or that the signature (parameter list) of the called function is not known to the author.
In C, function calls generally need to provide the same number of arguments as there are arguments to the function. (Variadic functions can accept additional arguments.) Providing fewer arguments than there are parameters is extremely dangerous, as the called function will nevertheless try to obtain the missing arguments’ values, either from the stack or from machine registers. As a result, the function may behave unpredictably.
If the called functionmodifies a parameter corresponding to a missing argument, it may alter the state of the program upon its return. An attacker could use this to, for example, alter the control flow of the program to access forbidden resources.
Recommendation¶
Call the function with the correct number of arguments.
Example¶
voidone_argument();voidcalls(){one_argument(1);// GOOD: `one_argument` will accept and use the argumentone_argument();// BAD: `one_argument` will receive an undefined value}voidone_argument(intx);
References¶
SEI CERT C Coding Standard: DCL20-C. Explicitly specify void when a function accepts no arguments
Common Weakness Enumeration:CWE-234.
Common Weakness Enumeration:CWE-685.