Difference between revisions of "Misinterpreted function return value"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
 +
{{Template:Vulnerability}}
  
==Overview==
+
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
  
If a function's return value is not properly checked, the function could have failed without proper acknowledgement.
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
==Consequences ==
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
* Integrity: The data - which was produced as a result of an improperly checked return value of a function - could be in a bad state.
+
[[ASDR Table of Contents]]
 +
__TOC__
  
==Exposure period ==
 
  
* Requirements specification: The choice could be made to use a language that uses exceptions rather than return values to handle status.
+
==Description==
  
* Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.
+
If a function's return value is not properly checked, the function could have failed without proper acknowledgement.
  
==Platform ==
+
'''Consequences'''
  
* Languages: C or C++
+
* Integrity: The data - which was produced as a result of an improperly checked return value of a function - could be in a bad state.
  
* Operating platforms: Any
+
'''Exposure period'''
  
==Required resources ==
+
* Requirements specification: The choice could be made to use a language that uses exceptions rather than return values to handle status.
 +
* Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.
 +
 
 +
'''Platform'''
 +
 
 +
* Languages: C or C++
 +
* Operating platforms: Any
 +
 
 +
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
Medium
 
Medium
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Low
 
Low
  
==Avoidance and mitigation ==
+
Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.
  
* Requirements specification: Use a language or compiler that uses exceptions and requires the catching of those exceptions.
 
  
* Implementation: Properly check all functions which return a value.
+
==Risk Factors==
  
* Implementation: When designing any function make sure you return a value or throw an exception in case of an error.
+
TBD
  
==Discussion ==
+
==Examples==
 
+
Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.
+
 
+
==Examples ==
+
  
 
In C/C++
 
In C/C++
Line 54: Line 58:
 
</pre>
 
</pre>
  
==Related problems ==
 
  
Not available.
+
==Related [[Attacks]]==
 +
 
 +
* [[Attack 1]]
 +
* [[Attack 2]]
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* Requirements specification: Use a language or compiler that uses exceptions and requires the catching of those exceptions.
 +
* Implementation: Properly check all functions which return a value.
 +
* Implementation: When designing any function make sure you return a value or throw an exception in case of an error.
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
 
 +
TBD
 +
[[Category:FIXME|add links
 +
 
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 
 +
Availability Vulnerability
 +
 
 +
Authorization Vulnerability
 +
 
 +
Authentication Vulnerability
 +
 
 +
Concurrency Vulnerability
 +
 
 +
Configuration Vulnerability
 +
 
 +
Cryptographic Vulnerability
 +
 
 +
Encoding Vulnerability
 +
 
 +
Error Handling Vulnerability
 +
 
 +
Input Validation Vulnerability
 +
 
 +
Logging and Auditing Vulnerability
 +
 
 +
Session Management Vulnerability]]
 +
 
 +
__NOTOC__
  
  
 +
[[Category:OWASP ASDR Project]]
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]
 
[[Category:General Logic Error Vulnerability]]
 
[[Category:General Logic Error Vulnerability]]

Revision as of 13:52, 26 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 09/26/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Contents


Description

If a function's return value is not properly checked, the function could have failed without proper acknowledgement.

Consequences

  • Integrity: The data - which was produced as a result of an improperly checked return value of a function - could be in a bad state.

Exposure period

  • Requirements specification: The choice could be made to use a language that uses exceptions rather than return values to handle status.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack, or misuse, of mitigating technologies.

Platform

  • Languages: C or C++
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Low

Important and common functions will return some value about the success of its actions. This will alert the program whether or not to handle any errors caused by that function.


Risk Factors

TBD

Examples

In C/C++

    if (malloc(sizeof(int*4) < 0 )
        perror("Failure"); //should have checked if the call returned 0


Related Attacks


Related Vulnerabilities


Related Controls

  • Requirements specification: Use a language or compiler that uses exceptions and requires the catching of those exceptions.
  • Implementation: Properly check all functions which return a value.
  • Implementation: When designing any function make sure you return a value or throw an exception in case of an error.


Related Technical Impacts


References

TBD