1. Home
  2. CWE Database
  3. CWE-685
Variant · Low-Medium

CWE-685: Function Call With Incorrect Number of Arguments

The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

CWE-685 · Variant Level ·1 Mitigations

Description

The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

Potential Impact

Other

Quality Degradation

Mitigations & Prevention

Testing

Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.

Detection Methods

  • Other — While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers of arguments, such as format strings in C. It also can occur in languages or environments that do not require that functions always be ca

CWE-628: Function Call with Incorrectly Specified Arguments

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-i...

Taxonomy Mappings

  • Software Fault Patterns: SFP1 — Glitch in computation
  • CERT C Secure Coding: EXP37-C — Call functions with the correct number and type of arguments
  • CERT C Secure Coding: FIO47-C — Use valid format strings

Frequently Asked Questions

What is CWE-685?

CWE-685 (Function Call With Incorrect Number of Arguments) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

How can CWE-685 be exploited?

Attackers can exploit CWE-685 (Function Call With Incorrect Number of Arguments) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-685?

Key mitigations include: Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typi

What is the severity of CWE-685?

CWE-685 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.