Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-628 (使用不正确指定参数的函数调用) — Vulnerability Class 2

2 vulnerabilities classified as CWE-628 (使用不正确指定参数的函数调用). AI Chinese analysis included.

CWE-628 represents a critical programming error where a function is invoked with improperly specified arguments, resulting in unpredictable and often maliciously exploitable behavior. This weakness typically manifests through mismatched argument counts, incorrect data types, swapped parameter orders, or passing invalid references, which can lead to memory corruption, logic bypasses, or application crashes. Attackers frequently exploit these flaws by crafting inputs that trigger type confusion or buffer overflows, allowing them to execute arbitrary code or escalate privileges. To mitigate this risk, developers must enforce strict type checking and utilize static analysis tools to detect signature mismatches during compilation. Additionally, adopting strongly typed languages and comprehensive unit testing ensures that function calls align precisely with expected interfaces, thereby preventing the introduction of incorrect arguments and maintaining system integrity against potential exploitation vectors.

MITRE CWE Description
The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. There are multiple ways in which this weakness can be introduced, including: the wrong variable or reference; an incorrect number of arguments; incorrect order of arguments; wrong type of arguments; or wrong value.
Common Consequences (1)
Other, Access ControlQuality Degradation, Gain Privileges or Assume Identity
This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.
Mitigations (2)
Build and CompilationOnce found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
Architecture and DesignMake sure your API's are stable before you use them in production code.
Examples (2)
The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.
function authenticate($username, $password) { // authenticate user ... } authenticate($_POST['password'], $_POST['username']);
Bad · PHP
This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.
sub ReportAuth { my ($username, $result, $fatal) = @_; PrintLog("auth: username=%s, result=%d", $username, $result); if (($result ne "success") && $fatal) { die "Failed!\n"; } } sub PrivilegedFunc { my $result = CheckAuth($username); ReportAuth($username, $result, 0); DoReallyImportantStuff(); }
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2019-14844 MIT krb5 安全漏洞 — krb5 7.5 -2019-09-26
CVE-2019-7303 Snapd seccomp filter TIOCSTI ioctl bypass — snapd 5.3 -2019-04-23

Vulnerabilities classified as CWE-628 (使用不正确指定参数的函数调用) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.