CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-783: Operator Precedence Logic Error

Weakness ID: 783
Abstraction: Variant
Status: Draft
Presentation Filter:
+ Description

Description Summary

The program uses an expression in which operator precedence causes incorrect logic to be used.

Extended Description

While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.

+ Applicable Platforms

Languages

C: (Rarely)

C++: (Rarely)

Any: (Rarely)

+ Modes of Introduction

Logic errors related to operator precedence may cause problems even during normal operation, so they are probably discovered quickly during the testing phase. If testing is incomplete or there is a strong reliance on manual review of the code, then these errors may not be discovered before the software is deployed.

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability

Technical Impact: Varies by context; Unexpected state

The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.

+ Likelihood of Exploit

Low

+ Demonstrative Examples

Example 1

In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.

(Bad Code)
Example Language:
#define FAIL 0
#define SUCCESS 1

...

int validateUser(char *username, char *password) {

int isUser = FAIL;

// call method to authenticate username and password
// if authentication fails then return failure otherwise return success
if (isUser = AuthenticateUser(username, password) == FAIL) {
return isUser;
}
else {
isUser = SUCCESS;
}

return isUser;
}

However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.

(Good Code)
Example Language:
...

if ((isUser = AuthenticateUser(username, password)) == FAIL) {

...

Example 2

In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs.

(Bad Code)
Example Language: Java 
public double calculateReturnOnInvestment(double currentValue, double initialInvestment) {

double returnROI = 0.0;

// calculate return on investment
returnROI = currentValue - initialInvestment / initialInvestment;

return returnROI;
}

However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below.

(Good Code)
Example Language: Java 
...

returnROI = (currentValue - initialInvestment) / initialInvestment;

...

Note that the initialInvestment variable in this example should be validated to ensure that it is greater than zero to avoid a potential divide by zero error (CWE-369).

+ Observed Examples
ReferenceDescription
Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
+ Potential Mitigations

Phase: Implementation

Regularly wrap sub-expressions in parentheses, especially in security-critical code.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory569Expression Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class670Always-Incorrect Control Flow Implementation
Research Concepts (primary)1000
ChildOfCategoryCategory737CERT C Secure Coding Section 03 - Expressions (EXP)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT C Secure CodingEXP00-CExactUse parentheses for precedence of operation
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Precedence", Page 287.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-07-16MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2009-12-28CWE Content TeamMITREInternal
updated Observed_Examples
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, References, Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017