CWE-768 不正确的快捷方式验证
Incorrect Short Circuit Evaluation
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: Low
基本描述
The software contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.
扩展描述
Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, possibly causing errors later during the software's execution. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system.
If the first condition of an "or" statement is assumed to be true under normal circumstances, or if the first condition of an "and" statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing.
Finally, the usage of short circuit evaluation may decrease the maintainability of the code.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 691 cwe_View_ID: 1000 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Confidentiality', 'Integrity', 'Availability'] | Widely varied consequences are possible if an attacker is aware of an unexpected state in the software after a conditional. It may lead to information exposure, a system crash, or even complete attacker control of the system. |
可能的缓解方案
Implementation
策略:
Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.
示例代码
例
The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user.
bad C
#define PRIV_REGULAR 1
typedef struct{
int id;
} user_t;
user_t Add_Regular_Users(int num_users){
int i = num_users;
while( --i && (users[i].privileges = PRIV_REGULAR) ){
}
return users;
}
int main(){
int i;
test = Add_Regular_Users(25);
for(i = 0; i }
When compiled and run, the above code will output a privilege level of 1, or PRIV_REGULAR for every user but the user with id 0 since the prefix increment operator used in the if statement will reach zero and short circuit before setting the 0th user's privilege level. Since we used calloc, this privilege will be set to 0, or PRIV_ADMIN.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Failure to protect stored data from modification | ||
| Software Fault Patterns | SFP1 | Glitch in computation |
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论