Failure to Handle Missing Parameter

Description

This vulnerability occurs when a function or method receives fewer arguments than it expects. The function will still attempt to process its expected number of parameters, which can lead to reading undefined, stale, or arbitrary values from the program's memory or stack, causing crashes or unexpected behavior.

Extended Description

At its core, this flaw is about mismatched expectations between a function's definition and its actual usage. When a caller provides insufficient arguments, the function doesn't receive the data it was designed to process. Instead, it pulls whatever values happen to be in the memory locations (like the stack) where it expected to find its parameters. These values could be remnants from previous operations, uninitialized memory, or even parts of other data structures, leading directly to instability, incorrect calculations, or security breaches. To prevent this, developers must implement robust input validation at the function's entry point. This includes explicitly checking the number of received arguments, defining safe default values for optional parameters, and using modern language features like default arguments or variadic function safeguards. For lower-level code or APIs, clear documentation and runtime assertions are critical to ensure callers and functions agree on the required contract, preventing the program from operating on garbage data.

Common Consequences 2

Scope: IntegrityConfidentialityAvailabilityAccess Control

Impact: Execute Unauthorized Code or CommandsGain Privileges or Assume Identity

There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.

Scope: Availability

Impact: DoS: Crash, Exit, or Restart

Potentially a program could fail if it needs more arguments then are available.

Potential Mitigations 2

Phase: Build and Compilation

This issue can be simply combated with the use of proper build process.

Phase: Implementation

Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.

Demonstrative Examples 1

The following example demonstrates the weakness.

Code Example:Bad
C
c

Code Example:Bad
C
c

This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it.

Observed Examples 15

CVE-2004-0276Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field.

CVE-2002-1488Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in.

CVE-2002-1169Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers.

CVE-2000-0521Web server allows disclosure of CGI source code via an HTTP request without the version number.

CVE-2001-0590Application server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification.

CVE-2003-0239Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor.

CVE-2002-1023Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI.

CVE-2002-1236CGI crashes when called without any arguments.

CVE-2003-0422CGI crashes when called without any arguments.

CVE-2002-1531Crash in HTTP request without a Content-Length field.

CVE-2002-1077Crash in HTTP request without a Content-Length field.

CVE-2002-1358Empty elements/strings in protocol test suite affect many SSH2 servers/clients.

CVE-2003-0477FTP server crashes in PORT command without an argument.

CVE-2002-0107Resultant infoleak in web server via GET requests without HTTP/1.0 version string.

CVE-2002-0596GET request with empty parameter leads to error message infoleak (path disclosure).

Likelihood of Exploit

High

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Handling of Parameters (CWE-233)

Taxonomy Mapping

PLOVER
CLASP

Notes

MaintenanceThis entry will be deprecated in a future version of CWE. The term "missing parameter" was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by Function Call With Incorrect Number of Arguments.