CWE-628: Function Call with Incorrectly Specified Arguments
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
常见后果
影响范围: Other Access Control
技术影响: Quality Degradation Gain Privileges or Assume Identity
说明: This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.
潜在缓解措施
阶段: Build and Compilation
描述: Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
阶段: Architecture and Design
描述: Make sure your API's are stable before you use them in production code.
检测方法
方法: Other
Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.
观察示例
参考: CVE-2006-7049
The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CERT C Secure Coding | DCL10-C | Maintain the contract between the writer and caller of variadic functions | - |
| CERT C Secure Coding | EXP37-C | Call functions with the correct number and type of arguments | CWE More Abstract |
| SEI CERT Perl Coding Standard | DCL00-PL | Do not use subroutine prototypes | CWE More Abstract |
| SEI CERT Perl Coding Standard | EXP33-PL | Do not invoke a function in a context for which it is not defined | Imprecise |