Function Call With Incorrectly Specified Argument Value
Weakness ID: 687 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.
+ Time of Introduction
  • Implementation
+ Detection Methods

Manual Static Analysis

This might require an understanding of intended program behavior or design to determine whether the value is incorrect.

+ Demonstrative Examples

Example 1

This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.

(Bad Code)
Example Language: PerlĀ 
sub ReportAuth {
my ($username, $result, $fatal) = @_;
PrintLog("auth: username=%s, result=%d", $username, $result);
if (($result ne "success") && $fatal) {
die "Failed!\n";
}
}

sub PrivilegedFunc
{
my $result = CheckAuth($username);
ReportAuth($username, $result, 0);
DoReallyImportantStuff();
}
+ Potential Mitigations

Use the function, procedure, routine as specified.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base628Function Call with Incorrectly Specified Arguments
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory742CERT C Secure Coding Section 08 - Memory Management (MEM)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ParentOfWeakness VariantWeakness Variant560Use of umask() with chmod-style Argument
Research Concepts (primary)1000
+ Relationship Notes

When primary, this weakness is most likely to occur in rarely-tested code, since the wrong value can change the semantic meaning of the program's execution and lead to obviously-incorrect behavior. It can also be resultant from issues in which the program assigns the wrong value to a variable, and that variable is later used in a function call. In that sense, this issue could be argued as having chaining relationships with many implementation errors in CWE.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT C Secure CodingMEM04-CDo not perform zero length allocations
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations
2008-09-08CWE Content TeamMITREInternal
updated Detection Factors, Relationships, Other Notes, Weakness Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Description
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Relationship Notes
Back to top