Failure to account for default case in switch

From OWASP
Revision as of 15:52, 4 August 2006 by Weilin Zhong (Talk | contribs)

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Overview

The failure to account for the default case in switch statements may lead to complex logical errors and may aid in other, unexpected security-related conditions.

Consequences

  • Undefined: Depending on the logical circumstances involved, any consequences may result: e.g., issues of confidentiality, authentication, authorization, availability, integrity, accountability, or non-repudiation.

Exposure period

  • Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

  • Language: Any
  • Platform: Any

Required resources

Any

Severity

Undefined.

Likelihood of exploit

Undefined.

Avoidance and mitigation

  • Implementation: Ensure that there are no unaccounted for cases, when adjusting flow or values based on the value of a given variable. In switch statements, this can be accomplished through the use of the default label.

Discussion

This flaw represents a common problem in software development, in which not all possible values for a variable are considered or handled by a given process. Because of this, further decisions are made based on poor information, and cascading failure results.

This cascading failure may result in any number of security issues, and constitutes a significant failure in the system. In the case of switch style statements, the very simple act of creating a default case can mitigate this situation, if done correctly.

Often however, the default cause is used simply to represent an assumed option, as opposed to working as a sanity check. This is poor practice and in some cases is as bad as omitting a default case entirely.

Examples

In general, a safe switch statement has this form:

switch (value) {       
  case 'A':            
    printf("A!\n");            
    break;        
  case 'B':            
    printf("B!\n");            
    break;        
  default:            
    printf("Neither A nor B\n");    
}

This is because the assumption cannot be made that all possible cases are accounted for. A good practice is to reserve the default case for error handling.

Related problems

  • Undefined: A logical flaw of this kind might lead to any number of other flaws.