Function Call with Incorrectly Specified Arguments
Weakness ID: 628 (Weakness Base)Status: Draft
+ Description

Description Summary

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Extended Description

There are multiple ways in which this weakness can be introduced, including:

  • (1) the wrong variable or reference;

  • (2) an incorrect number of arguments;

  • (3) incorrect order of arguments;

  • (4) wrong type of arguments; or

  • (5) wrong value.

+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Detection Methods


Since these bugs typically introduce obviously incorrect behavior, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.

+ Observed Examples
CVE-2006-7049The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.
+ Potential Mitigations

Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.

Make sure your API's are stable before you use them in production code.

+ Weakness Ordinalities

This is usually primary to other weaknesses, but it can be resultant if the function's API or function prototype changes.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory559Often Misused: Arguments and Parameters
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class573Failure to Follow Specification
Research Concepts (primary)1000
ChildOfCategoryCategory736CERT C Secure Coding Section 02 - Declarations and Initialization (DCL)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory737CERT C Secure Coding Section 03 - Expressions (EXP)
Weaknesses Addressed by the CERT C Secure Coding Standard734
ChildOfCategoryCategory742CERT C Secure Coding Section 08 - Memory Management (MEM)
Weaknesses Addressed by the CERT C Secure Coding Standard734
ParentOfWeakness VariantWeakness Variant683Function Call With Incorrect Order of Arguments
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant685Function Call With Incorrect Number of Arguments
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant686Function Call With Incorrect Argument Type
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant687Function Call With Incorrectly Specified Argument Value
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant688Function Call With Incorrect Variable or Reference as Argument
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT C Secure CodingDCL10-CMaintain the contract between the writer and caller of variadic functions
CERT C Secure CodingEXP37-CCall functions with the arguments intended by the API
CERT C Secure CodingMEM08-CUse realloc() only to resize dynamically allocated arrays
+ Content History
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Other Notes, Weakness Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-10-29CWE Content TeamMITREInternal
updated Detection Factors, Other Notes, Weakness Ordinalities
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Incorrectly Specified Arguments