Semmle 1.22
Skip to end of metadata
Go to start of metadata

Name: Call to function with fewer arguments than declared parameters

Description: A function call is passing fewer arguments than the number of declared parameters of the function. This may indicate that the code does not follow the author's intent. It is also a vulnerability, since the function is likely to operate on undefined data.

ID: cpp/too-few-arguments

Kind: problem

Severity: error

Precision: very-high

Query: TooFewArguments.ql
/**
 * @name Call to function with fewer arguments than declared parameters
 * @description A function call is passing fewer arguments than the number of
 *              declared parameters of the function. This may indicate
 *              that the code does not follow the author's intent. It is also 
 *              a vulnerability, since the function is likely to operate on 
 *              undefined data.
 * @kind problem
 * @problem.severity error
 * @precision very-high
 * @id cpp/too-few-arguments
 * @tags correctness
 *       maintainability
 *       security
 */

import cpp

// True if function was ()-declared, but not (void)-declared or K&R-defined
predicate hasZeroParamDecl(Function f) {
  exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() |
    not fde.hasVoidParamList() and fde.getNumberOfParameters() = 0 and not fde.isDefinition()
  )
}

// True if this file (or header) was compiled as a C file
predicate isCompiledAsC(Function f) {
  exists(File file | file.compiledAsC() |
    file = f.getFile() or file.getAnIncludedFile+() = f.getFile()
  )
}

from FunctionCall fc, Function f
where
  f = fc.getTarget() and
  not f.isVarargs() and
  not f instanceof BuiltInFunction and
  hasZeroParamDecl(f) and
  isCompiledAsC(f) and
  // There is an explicit declaration of the function whose parameter count is larger
  // than the number of call arguments
  exists(FunctionDeclarationEntry fde | fde = f.getADeclarationEntry() |
    fde.getNumberOfParameters() > fc.getNumberOfArguments()
  )
select fc, "This call has fewer arguments than required by $@.", f, f.toString()

A function is called with fewer arguments than there are parameters of the function.

This may indicate that an incorrect function is being called, or that the signature (parameter list) of the called function is not known to the author.

In C, function calls generally need to provide the same number of arguments as there are arguments to the function. (Variadic functions can accept additional arguments.) Providing fewer arguments than there are parameters is extremely dangerous, as the called function will nevertheless try to obtain the missing arguments' values, either from the stack or from machine registers. As a result, the function may behave unpredictably.

If the called function modifies a parameter corresponding to a missing argument, it may alter the state of the program upon its return. An attacker could use this to, for example, alter the control flow of the program to access forbidden resources.

Recommendation

Call the function with the correct number of arguments.

Example

void one_argument();

void calls() {
	one_argument(1); // GOOD: `one_argument` will accept and use the argument
	
	one_argument(); // BAD: `one_argument` will receive an undefined value
}

void one_argument(int x);

References