Assigning instead of comparing

From OWASP
Revision as of 07:55, 22 September 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Contents


Last revision (mm/dd/yy): 09/22/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Description

In many languages, the compare statement is very close in appearance to the assignment statement and are often confused.

This bug is generally as a result of a typo and usually should cause obvious problems with program execution. If the comparison is in an if statement, the if statement will always return the value of the right-hand side variable.


Consequences

Unspecified.

Exposure period

  • Pre-design through Build: The use of tools to detect this problem is recommended.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.

Platform

  • Languages: C, C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

Low


Risk Factors

TBD


Examples

In C/C++/Java:

void called(int foo){
        if (foo=1)  printf("foo\n");
}

int main(){
        called(2);
        return 0;
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Control 1
  • Control 2
  • Pre-design: Through Build: Many IDEs and static analysis products will detect this problem.
  • Implementation: Place constants on the left. If one attempts to assign a constant with a variable, the compiler will of course produce an error.


Related Technical Impacts


References

TBD