Difference between revisions of "Assigning instead of comparing"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
 
(10 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 
<br>
 
<br>
[[ASDR Table of Contents]]
 
 
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 +
  
 
==Description==
 
==Description==
 
In many languages, the ''compare'' statement is very close in appearance to the ''assignment'' statement and are often confused.
 
In many languages, the ''compare'' statement is very close in appearance to the ''assignment'' statement and are often confused.
  
This bug is generally as a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an ''if'' statement, the ''if ''statement will always return the value of the right-hand side variable.
+
This bug is generally a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an ''if'' statement, the ''if ''statement will always return the value of the right-hand side variable.
  
 
'''Consequences'''
 
'''Consequences'''

Latest revision as of 07:50, 3 June 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 06/3/2009

Vulnerabilities Table of Contents


Description

In many languages, the compare statement is very close in appearance to the assignment statement and are often confused.

This bug is generally a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an if statement, the if statement will always return the value of the right-hand side variable.

Consequences

Unspecified.

Exposure period

  • Pre-design through Build: The use of tools to detect this problem is recommended.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.

Platform

  • Languages: C, C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

Low


Risk Factors

TBD


Examples

In C/C++/Java:

void called(int foo){
        if (foo=1)  printf("foo\n");
}

int main(){
        called(2);
        return 0;
}


Related Attacks

TBD

Related Vulnerabilities

Related Controls

TBD

  • Control 1
  • Control 2
  • Pre-design: Through Build: Many IDEs and static analysis products will detect this problem.
  • Implementation: Place constants on the left. If one attempts to assign a constant with a variable, the compiler will of course produce an error.


Related Technical Impacts

TBD


References

TBD