1. Home
  2. CWE Database
  3. CWE-628
Base · Medium

CWE-628: Function Call with Incorrectly Specified Arguments

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

CWE-628 · Base Level ·1 CVEs ·2 Mitigations

Description

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

There are multiple ways in which this weakness can be introduced, including:

Potential Impact

Other, Access Control

Quality Degradation, Gain Privileges or Assume Identity

Demonstrative Examples

The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.
Bad
function authenticate($username, $password) {
                        
                           
                           // authenticate user
                           ...
                     }
                     authenticate($_POST['password'], $_POST['username']);
This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.
Bad
sub ReportAuth {my ($username, $result, $fatal) = @_;PrintLog("auth: username=%s, result=%d", $username, $result);if (($result ne "success") && $fatal) {die "Failed!\n";}}
                     sub PrivilegedFunc{my $result = CheckAuth($username);ReportAuth($username, $result, 0);DoReallyImportantStuff();}
In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.
Bad
private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);}
                     private boolean void accessGranted(String resource, String[] userRoles) {
                        
                           
                           // grant or deny access based on user roles
                           ...
                     }

Mitigations & Prevention

Build and Compilation

Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.

Architecture and Design

Make sure your API's are stable before you use them in production code.

Detection Methods

  • Other — Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments a

Real-World CVE Examples

CVE IDDescription
CVE-2006-7049The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.

CWE-573: Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, enviro...

Taxonomy Mappings

  • CERT C Secure Coding: DCL10-C — Maintain the contract between the writer and caller of variadic functions
  • CERT C Secure Coding: EXP37-C — Call functions with the correct number and type of arguments
  • SEI CERT Perl Coding Standard: DCL00-PL — Do not use subroutine prototypes
  • SEI CERT Perl Coding Standard: EXP33-PL — Do not invoke a function in a context for which it is not defined

Frequently Asked Questions

What is CWE-628?

CWE-628 (Function Call with Incorrectly Specified Arguments) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

How can CWE-628 be exploited?

Attackers can exploit CWE-628 (Function Call with Incorrectly Specified Arguments) to quality degradation, gain privileges or assume identity. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-628?

Key mitigations include: Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised he

What is the severity of CWE-628?

CWE-628 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.