CWE-234

Variant Abstraction Level
Pillar — Highest-level weakness category
Class — Abstract, language-independent
Base — Specific enough to detect
Variant — Tied to specific technology
Compound — Requires multiple weaknesses
Incomplete MITRE CWE Status
Stable — Fully reviewed and complete
Draft — Under development, may change
Incomplete — Partially defined by MITRE
Deprecated — No longer recommended
Obsolete — Replaced by another CWE
Exploit: High
Failure to Handle Missing Parameter

Description

If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.

Consequences

Integrity, Confidentiality, Availability, Access Control — Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.

Availability — DoS: Crash, Exit, or Restart

Potentially a program could fail if it needs more arguments then are available.

Mitigations

Phase: Build and Compilation

This issue can be simply combated with the use of proper build process.

Phase: Implementation

Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.