The code uses a variable that has not been initialized, leading
to unpredictable or unintended results.
Extended Description
In some languages, such as C, an uninitialized variable contains contents
of previously-used memory. An attacker can sometimes control or read these
contents.
Time of Introduction
Implementation
Applicable Platforms
Languages
C: (Sometimes)
C++: (Sometimes)
Perl: (Often)
All
Common Consequences
Scope
Effect
Availability
Integrity
Initial variables usually contain junk, which can not be trusted for
consistency. This can lead to denial of service conditions, or modify
control flow in unexpected ways. In some cases, an attacker can
"pre-initialize" the variable using previous actions, which might enable
code execution. This can cause a race condition if a lock variable check
passes when it should not.
Authorization
Strings that are not initialized are especially dangerous, since many
functions expect a null at the end -- and only at the end -- of a
string.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
The following switch statement is intended to set the values of the
variables aN and bN, but in the default case, the programmer has
accidentally set the value of aN twice. As a result, bN will have an
undefined value.
(Bad Code)
C
switch (ctl) {
case -1:
aN = 0;
bN = 0;
break;
case 0:
aN = i;
bN = -i;
break;
case 1:
aN = i + NEXT_SZ;
bN = i - NEXT_SZ;
break;
default:
aN = -1;
aN = -1;
break;
}
repaint(aN, bN);
Most uninitialized variable issues result in general software
reliability problems, but if attackers can intentionally trigger the use
of an uninitialized variable, they might be able to launch a denial of
service attack by crashing the program. Under the right circumstances,
an attacker may be able to control the value of an uninitialized
variable by affecting the values on the stack prior to the invocation of
the function.
Most compilers will complain about the use of uninitialized variables
if warnings are turned on.
Requirements
The choice could be made to use a language that is not susceptible to
these issues.
Architecture and Design
Mitigating technologies such as safe string libraries and container
abstractions could be introduced.
Other Notes
Before variables are initialized, they generally contain junk data of what
was left in the memory that the variable takes up. This data is very rarely
useful, and it is generally advised to pre-initialize variables or set them
to their first values early. If one forgets -- in the C language -- to
initialize, for example a char *, many of the simple string libraries may
often return incorrect results as they expect the null termination to be at
the end of a string.
Stack variables in C and C++ are not initialized by default. Their initial
values are determined by whatever happens to be in their location on the
stack at the time the function is invoked. Programs should never use the
value of an uninitialized variable. It is not uncommon for programmers to
use an uninitialized variable in code that handles errors or other rare and
exceptional circumstances. Uninitialized variable warnings can sometimes
indicate the presence of a typographic error in the code.
Description
