|
|
Function Call With Incorrect Variable or Reference as Argument Status: Draft Weakness ID: 688 (Weakness Variant)Description Summary The software calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, leading to undefined behavior and resultant weaknesses. Weakness Ordinalities Primary (where the weakness exists independent of other weaknesses) Detection Factors While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in loosely typed languages or environments. This might require an understanding of intended program behavior or design to determine whether the value is incorrect. Potential Mitigations Use the function, procedure, routine as specified. Demonstrative Examples In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles. Java Example: private static final String[] ADMIN_ROLES = ...; public boolean void accessGranted(String resource, String user) { String[] userRoles = getUserRoles(user); return accessGranted(resource, ADMIN_ROLES); } private boolean void accessGranted(String resource, String[]
userRoles) { // grant or deny access based on user roles ... }
Observed Examples
Other Notes This issue is most likely to occur in rarely-tested code. Relationships
Applicable Platforms Languages C Perl Time of Introduction  ImplementationContent History Modifications Sean Eidemiller. Cigital. 2008-07-01. (External) added/updated demonstrative examples Eric Dalci. Cigital. 2008-07-01. (External) updated Potential_Mitigations CWE Content Team. MITRE. 2008-09-08. (Internal) updated Applicable_Platforms, Detection_Factors, Relationships, Other_Notes, Weakness_Ordinalities |
|
|
|||
