Function Call with Incorrectly Specified Arguments

Description

This weakness occurs when a function is called with arguments that are incorrectly specified, causing the function to behave in an unintended and consistently wrong manner.

Extended Description

This bug happens when the arguments passed to a function don't match what the function expects. Common mistakes include passing the wrong variable, providing too many or too few arguments, mixing up the argument order, using an incompatible data type, or supplying an incorrect literal value. Any of these errors will cause the function to process the wrong data, leading to unpredictable results, crashes, or security vulnerabilities. For developers, preventing this issue requires careful attention to function signatures and API documentation. Always double-check the number, type, and order of arguments when calling functions, especially when working with external libraries or complex internal APIs. Using modern IDE features like type hints and auto-completion can help catch these mismatches early in the development cycle.

Common Consequences 1

Scope: OtherAccess Control

Impact: Quality DegradationGain Privileges or Assume Identity

This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.

Detection Methods 1

Other

Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.

Potential Mitigations 2

Phase: Build and Compilation

Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.

Phase: Architecture and Design

Make sure your API's are stable before you use them in production code.

Demonstrative Examples 3

ID : DX-62

The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.

Code Example:

Bad

PHP

php

// authenticate user* ...}

php

ID : DX-63

This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.

Code Example:Bad
Perl
perl

ID : DX-64

In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.

Code Example:

Bad

Java

java

// grant or deny access based on user roles* ...}

Observed Examples 1

CVE-2006-7049The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Following of Specification by Caller (CWE-573)

Taxonomy Mapping

CERT C Secure Coding
CERT C Secure Coding
SEI CERT Perl Coding Standard
SEI CERT Perl Coding Standard