Operator Precedence Logic Error| ID: 783 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The program uses an expression in which operator precedence
causes incorrect logic to be used.
Extended DescriptionWhile often just a bug, operator precedence logic errors can have serious
consequences if they are used in security-critical code, such as making an
authentication decision.
Likelihood of Exploit: Low
Applicable PlatformsLanguage: RarelyLanguage: CLanguage: RarelyLanguage: C++Language Class: RarelyLanguage Class: Any
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityIntegrityAvailability | Varies by contextUnexpected state | The consequences will vary based on the context surrounding the
incorrect precedence. In a security decision, integrity or
confidentiality are the most likely results. Otherwise, a crash may
occur due to the software reaching an unexpected state. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Regularly wrap sub-expressions in parentheses, especially in
security-critical code. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-783 ChildOf CWE-737 | Category | CWE-734 | |
Demonstrative Examples (Details)
- In the following example, the method validateUser makes a call to
another method to authenticate a username and password for a user and
returns a success or failure code.
- In this example, the method calculates the return on investment for
an accounting/financial application. The return on investment is calculated
by subtracting the initial investment costs from the current value and then
dividing by the initial investment costs.
Observed Examples
- CVE-2008-2516 : Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
- CVE-2008-0599 : Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
- CVE-2001-1155 : Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CERT C Secure Coding | EXP00-C | Use parentheses for precedence of operation | Exact |
References:
- CERT .EXP00-C. Use parentheses for precedence of
operation.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Precedence", Page 287.'. Published on 2006.
