CWE-685: Function Call With Incorrect Number of Arguments

VariantDraft

The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
CPerl
Platforms

Frequently Asked Questions

What is CWE-685: Function Call With Incorrect Number of Arguments?+

CWE-685: Function Call With Incorrect Number of Arguments is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

What are the security consequences of Function Call With Incorrect Number of Arguments?+

If exploited, CWE-685 (Function Call With Incorrect Number of Arguments) it can compromise Other, leading to outcomes such as Quality Degradation.

How do you prevent or mitigate Function Call With Incorrect Number of Arguments?+

Recommended mitigations for CWE-685 include: Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.

How is Function Call With Incorrect Number of Arguments detected?+

CWE-685 can be detected using Other. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Function Call With Incorrect Number of Arguments?+

CWE-685 commonly affects C and Perl. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-685 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More