CWE-628: Function Call with Incorrectly Specified Arguments
Description
The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
Submission Date :
May 7, 2007, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
There are multiple ways in which this weakness can be introduced, including:
- the wrong variable or reference;
- an incorrect number of arguments;
- incorrect order of arguments;
- wrong type of arguments; or
- wrong value.
Example - 1
The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.
// // authenticate user//
...
function authenticate($username, $password) {}authenticate($_POST['password'], $_POST['username']);
Example - 2
This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.
die "Failed!\n";my ($username, $result, $fatal) = @_;PrintLog("auth: username=%s, result=%d", $username, $result);if (($result ne "success") && $fatal) {}
my $result = CheckAuth($username);ReportAuth($username, $result, 0);DoReallyImportantStuff();sub ReportAuth {}sub PrivilegedFunc{}
Example - 3
In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.
String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);
// // grant or deny access based on user roles//
...private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {}private boolean void accessGranted(String resource, String[] userRoles) {}
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
CWE-573: Improper Following of Specification by Caller
CWE-683: Function Call With Incorrect Order of Arguments
CWE-685: Function Call With Incorrect Number of Arguments
CWE-686: Function Call With Incorrect Argument Type
CWE-687: Function Call With Incorrectly Specified Argument Value
CWE-688: Function Call With Incorrect Variable or Reference as Argument
Visit http://cwe.mitre.org/ for more details.