CWE-688: Function Call With Incorrect Variable or Reference as Argument

Description

The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2005-2548

Kernel code specifies the wrong variable in first argument, leading to resultant NULL pointer dereference.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	This problem typically occurs when the programmer makes a typo, or copy and paste errors.

Common Consequences

Impact: Quality Degradation — Notes:

Potential Mitigations

Testing: Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. (N/A)

Applicable Platforms

C (N/A, Undetermined)
Perl (N/A, Undetermined)

Demonstrative Examples

Intro: In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.

private static final String[] ADMIN_ROLES = ...; public boolean void accessGranted(String resource, String user) { String[] userRoles = getUserRoles(user); return accessGranted(resource, ADMIN_ROLES); } private boolean void accessGranted(String resource, String[] userRoles) { // grant or deny access based on user roles ... }

Notes

No notes available.

← Back to CWE list