The product uses an expression in which operator precedence causes incorrect logic to be used.
While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2008-2516
Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
CVE: CVE-2008-0599
Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
CVE: CVE-2001-1155
Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | Logic errors related to operator precedence may cause problems even during normal operation, so they are probably discovered quickly during the testing phase. If testing is incomplete or there is a strong reliance on manual review of the code, then these errors may not be discovered before the software is deployed. |
Intro: In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
Body: However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
#define FAIL 0 #define SUCCESS 1 ... int validateUser(char *username, char *password) { int isUser = FAIL; // call method to authenticate username and password // if authentication fails then return failure otherwise return success if (isUser = AuthenticateUser(username, password) == FAIL) { return isUser; } else { isUser = SUCCESS; } return isUser; }Intro: In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs.
Body: However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below.
public double calculateReturnOnInvestment(double currentValue, double initialInvestment) { double returnROI = 0.0; // calculate return on investment returnROI = currentValue - initialInvestment / initialInvestment; return returnROI; }