Incorrect Short Circuit EvaluationID: 768 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The software contains a conditional statement with multiple
logical expressions in which one of the non-leading expressions may produce side
effects. This may lead to an unexpected state in the program after the execution
of the conditional, because short-circuiting logic may prevent the side effects
from occurring.
Extended DescriptionUsage of short circuit evaluation, though well-defined in the C standard,
may alter control flow in a way that introduces logic errors that are
difficult to detect, possibly causing errors later during the software's
execution. If an attacker can discover such an inconsistency, it may be
exploitable to gain arbitrary control over a system.If the first condition of an "or" statement is assumed to be true under
normal circumstances, or if the first condition of an "and" statement is
assumed to be false, then any subsequent conditional may contain its own
logic errors that are not detected during code review or testing.Finally, the usage of short circuit evaluation may decrease the
maintainability of the code.
Likelihood of Exploit: Very Low
Applicable PlatformsNone
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrityAvailability | | Widely varied consequences are possible if an attacker is aware of an
unexpected state in the software after a conditional. It may lead to
information exposure, a system crash, or even complete attacker control
of the system. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Minimizing the number of statements in a conditional that produce side
effects will help to prevent the likelihood of short circuit evaluation
to alter control flow in an unexpected way. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-768 ChildOf CWE-885 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following function attempts to take a size value from a user and
allocate an array of that size (we ignore bounds checking for simplicity).
The function tries to initialize each spot with the value of its index, that
is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However,
since the programmer uses the prefix decrement operator, when the
conditional is evaluated with i == 1, the decrement will result in a 0 value
for the first part of the predicate, causing the second portion to be
bypassed via short-circuit evaluation. This means we cannot be sure of what
value will be in A[0] when we return the array to the user.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Failure to protect stored data from
modification | |
CERT C++ Secure Coding | EXP02-CPP | Be aware of the short-circuit behavior of the logical AND and
OR operators | |
References:None