4.3 Variable Argument Functions

C allows functions to have a variable number of arguments, through the varargs language feature. However, there is no obvious way of specifying constraints on the individual varargs: even their type is not fixed. For example, in the expression sprintf(s, "%s", t), if t is tainted, then we would like our type inference algorithm to force s to be tainted as well.

We have extended the C grammar so that the varargs specifier ``...'' can be annotated with a type qualifier variable. In the sprintf() example, we would like the first argument of sprintf() to be tainted if any of its varargs is tainted, so we use the type declaration

$$\begin{array}{l} \texttt{int sprintf(\$\_1\_2 char *,}\\ \hspace{0.5in} \texttt{untainted char *, \$\_2 ...);} \end{array}$$

Consequently, if any of sprintf()'s arguments (excluding the first two) are tainted, we will infer that the first argument must be tainted as well. More precisely, for each qualifier $q$ on any level of a type passed to the ... of sprintf(), we add the constraint $q \leq \texttt{\$\_1\_2}$.

The type inference system ignores parameters beyond the last named argument of an unannotated varargs function. Thus for soundness the user must annotate all potentially-vulnerable varargs functions; as mentioned in Section 3.2, we provide a list of unannotated varargs functions to the user to help with this task. Our implementation also does not model varargs function pointers fully. Both of these issues can be easily addressed, and we plan to do so in the future.