|
 DescriptionDescription Summary The software contains conditionals with multiple logical
expressions where one or more of the non-leading logical expressions produces
side effects that may not be executed due to short circuiting logic. This may
lead to an unexpected state in the program after the execution of the
conditional.
Extended Description Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, leading to error-prone conditions later in the software's life cycle. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system. If the first condition of an "or" statement is assumed to be true under normal circumstances, or if the first condition of an "and" statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing. Finally, the usage of short circuit evaluation may decrease the maintainability of the code. Time of Introduction
Common Consequences
Likelihood of ExploitVery Low Demonstrative ExamplesExample 1 The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user. (Bad Code) C #define PRIV_ADMIN 0 #define PRIV_REGULAR 1 typedef struct{ int privileges;
int id;
} user_t; user_t *Add_Regular_Users(int num_users){ user_t* users = (user_t*)calloc(num_users,
sizeof(user_t));
int i = num_users;
while( --i && (users[i].privileges =
PRIV_REGULAR) ){
users[i].id = i;
}
return users;
} int main(){ user_t* test;
int i;
test = Add_Regular_Users(25);
for(i = 0; i < 25; i++) printf("user %d has privilege
level %d\n", test[i].id, test[i].privileges);
} When compiled and run, the above code will output a privilege level of 1, or PRIV_REGULAR for every user but the user with id 0 since the prefix increment operator used in the if statement will reach zero and short circuit before setting the 0th user's privilege level. Since we used calloc, this privilege will be set to 0, or PRIV_ADMIN. Potential Mitigations
Relationships
Taxonomy Mappings
Content History
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Page Last Updated:
October 29, 2009
|
|
CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Contact cwe@mitre.org for more information. |
|
|