logo

Function Call with Incorrectly Specified Arguments

Draft Base
Structure: Simple
Description

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Extended Description

There are multiple ways in which this weakness can be introduced, including: - the wrong variable or reference; - an incorrect number of arguments; - incorrect order of arguments; - wrong type of arguments; or - wrong value.

Common Consequences 1
Scope: OtherAccess Control

Impact: Quality DegradationGain Privileges or Assume Identity

This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.
Detection Methods 1
Other
Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.
Potential Mitigations 2
Phase: Build and Compilation
Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
Phase: Architecture and Design
Make sure your API's are stable before you use them in production code.
Demonstrative Examples 3

ID : DX-62

The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.

Code Example:

Bad
PHP
php

// authenticate user* ...}

php

ID : DX-63

This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.

Code Example:

Bad
Perl
perl

ID : DX-64

In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.

Code Example:

Bad
Java
java

// grant or deny access based on user roles* ...}
Observed Examples 1
CVE-2006-7049The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Following of Specification by Caller (CWE-573)
Taxonomy Mapping
  • CERT C Secure Coding
  • CERT C Secure Coding
  • SEI CERT Perl Coding Standard
  • SEI CERT Perl Coding Standard