The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways.
Time of Introduction
Implementation
Applicable Platforms
Languages
C: (Sometimes)
C++: (Sometimes)
Perl: (Sometimes)
All
Common Consequences
Scope
Effect
Other
Technical Impact: Alter execution
logic
This weakness can cause unintended logic to be executed and other
unexpected application behavior.
Likelihood of Exploit
Low
Demonstrative Examples
Example 1
The following C/C++ and C# examples attempt to validate an int input
parameter against the integer value 100.
(Bad Code)
Example Languages: C and C#
int isValid(int value) {
if (value=100) {
printf("Value is valid\n");
return(1);
}
printf("Value is not valid\n");
return(0);
}
(Bad Code)
Example
Language: C#
bool isValid(int value) {
if (value=100) {
Console.WriteLine("Value is valid.");
return true;
}
Console.WriteLine("Value is not valid.");
return false;
}
However, the expression to be evaluated in the if statement uses the
assignment operator "=" rather than the comparison operator "==". The
result of using the assignment operator instead of the comparison
operator causes the int variable to be reassigned locally and the
expression in the if statement will always evaluate to the value on the
right hand side of the expression. This will result in the input value
not being properly validated, which can cause unexpected results.
Example 2
The following C/C++ example shows a simple implementation of a stack
that includes methods for adding and removing integer values from the stack.
The example uses pointers to add and remove integer values to the stack
array variable.
(Bad Code)
Example Languages: C and C++
#define SIZE 50
int *tos, *p1, stack[SIZE];
void push(int i) {
p1++;
if(p1==(tos+SIZE)) {
// Print stack overflow error message and
exit
}
*p1 == i;
}
int pop(void) {
if(p1==tos) {
// Print stack underflow error message and
exit
}
p1--;
return *(p1+1);
}
int main(int argc, char *argv[]) {
// initialize tos and p1 to point to the top of
stack
tos = stack;
p1 = stack;
// code to add and remove items from stack
...
return 0;
}
The push method includes an expression to assign the integer value to
the location in the stack pointed to by the pointer variable.
However, this expression uses the comparison operator "==" rather than
the assignment operator "=". The result of using the comparison operator
instead of the assignment operator causes erroneous values to be entered
into the stack and can cause unexpected results.
Other Notes
These types of bugs generally are the result of a typo. Although most of
them can easily be found when testing of the program, it is important that
one correct these problems, since they almost certainly will break the
code.
Do not perform assignments in conditional
ressions
CERT C++ Secure Coding
MSC02-CPP
Avoid errors of omission
CERT C++ Secure Coding
MSC03-CPP
Avoid errors of addition
References
[REF-7] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Typos", Page 289.. 1st Edition. Addison Wesley. 2006.
Description
