CWE-768 不正确的快捷方式验证

Incorrect Short Circuit Evaluation

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: Low

基本描述

The software contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.

扩展描述

Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, possibly causing errors later during the software's execution. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system.

If the first condition of an "or" statement is assumed to be true under normal circumstances, or if the first condition of an "and" statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing.

Finally, the usage of short circuit evaluation may decrease the maintainability of the code.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 691 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity', 'Availability'] Widely varied consequences are possible if an attacker is aware of an unexpected state in the software after a conditional. It may lead to information exposure, a system crash, or even complete attacker control of the system.

可能的缓解方案

Implementation

策略:

Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.

示例代码

The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user.

bad C

#define PRIV_ADMIN 0
#define PRIV_REGULAR 1
typedef struct{
int privileges;
int id;
} user_t;
user_t Add_Regular_Users(int num_users){
user_t users = (user_t)calloc(num_users, sizeof(user_t));
int i = num_users;
while( --i && (users[i].privileges = PRIV_REGULAR) ){
users[i].id = i;
}
return users;
}
int main(){
user_t test;
int i;
test = Add_Regular_Users(25);
for(i = 0; i < 25; i++) printf("user %d has privilege level %d\n", test[i].id, test[i].privileges);
}

When compiled and run, the above code will output a privilege level of 1, or PRIV_REGULAR for every user but the user with id 0 since the prefix increment operator used in the if statement will reach zero and short circuit before setting the 0th user's privilege level. Since we used calloc, this privilege will be set to 0, or PRIV_ADMIN.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Failure to protect stored data from modification
Software Fault Patterns SFP1 Glitch in computation