CWE-628: Function Call with Incorrectly Specified Arguments
Function Call with Incorrectly Specified Arguments
Weakness ID: 628 (Weakness Base)
The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrectbehavior and resultant weaknesses.
There are multiple ways in which this weakness can be introduced, including:
the wrong variable or reference;
an incorrect number of arguments;
incorrect order of arguments;
wrong type of arguments; or
Time of Introduction
Technical Impact: Quality degradation; Gain privileges / assume
This weakness can cause unintended behavior and can lead to additional
weaknesses such as allowing an attacker to gain unintended access to
Since these bugs typically introduce obviously incorrect behavior,
they are found quickly, unless they occur in rarely-tested code paths.
Managing the correct number of arguments can be made more difficult in
cases where format strings are used, or when variable numbers of
arguments are supported.
The following PHP method authenticates a user given a
username/password combination but is called with the parameters in reverse
This Perl code intends to record whether a user authenticated
successfully or not, and to exit if the user fails to authenticate. However,
when it calls ReportAuth(), the third argument is specified as 0 instead of
1, so it does not exit.
The method calls the functions with the wrong
argument order, which allows remote attackers to bypass intended access
Phase: Build and Compilation
Once found, these issues are easy to fix. Use code inspection tools
and relevant compiler features to identify potential violations. Pay
special attention to code that is not likely to be exercised heavily
Phase: Architecture and Design
Make sure your API's are stable before you use them in production
This is usually primary to other weaknesses, but it can be resultant
if the function's API or function prototype changes.