Difference between revisions of "Omitted break statement"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textcnaleto.com)
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{Template:Vulnerability}}
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
  
==Overview==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 +
 +
 +
==Description==
 
Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should not be used.   
 
Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should not be used.   
  
==Consequences ==
+
'''Consequences'''
  
 
Unspecified.
 
Unspecified.
  
==Exposure period ==
+
'''Exposure period'''
  
* Pre-design through Build: The use of tools to detect this problem is recommended.
+
* Pre-design through Build: The use of tools to detect this problem is recommended.
 +
* Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies
  
* Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies
+
'''Platform'''
  
==Platform ==
+
* Languages: C/C++/Java
 +
* Operating platforms: Any
  
* Languages: C/C++/Java
+
'''Required resources'''
 
+
* Operating platforms: Any
+
 
+
==Required resources ==
+
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
High
 
High
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Medium
 
Medium
  
==Avoidance and mitigation ==
+
While most languages with similar constructs automatically run only a single branch, C and C++ are different. This has bitten many programmers, and can lead to critical code executing in situations where it should not.
  
* Pre-design through Build: Most static analysis programs should be able to catch these errors.
 
  
* Implementation: The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.
 
  
==Discussion ==
+
==Risk Factors==
  
While most languages with similar constructs automatically run only a single branch, C and C++ are different. This has bitten many programmers, and can lead to critical code executing in situations where it should not.
+
TBD
  
==Examples ==
+
==Examples==
  
 
Java:
 
Java:
Line 74: Line 75:
 
One might think that if they just tested case12, it will display that the respective month "is a great month." However, if one tested November, one notice that it would display "November December is a great month."
 
One might think that if they just tested case12, it will display that the respective month "is a great month." However, if one tested November, one notice that it would display "November December is a great month."
  
==Related problems ==
 
  
Not available.
+
==Related [[Attacks]]==
  
 +
* [[Attack 1]]
 +
* [[Attack 2]]
  
[[Category:Vulnerability]]
 
  
[[Category:General Logic Error Vulnerability]]
+
==Related [[Vulnerabilities]]==
  
[[Category:Implementation]]
+
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
  
 +
==Related [[Controls]]==
 +
 +
* Pre-design through Build: Most static analysis programs should be able to catch these errors.
 +
* Implementation: The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.
 +
 +
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
TBD
 +
 +
[[Category:FIXME|add links
 +
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 +
Availability Vulnerability
 +
 +
Authorization Vulnerability
 +
 +
Authentication Vulnerability
 +
 +
Concurrency Vulnerability
 +
 +
Configuration Vulnerability
 +
 +
Cryptographic Vulnerability
 +
 +
Encoding Vulnerability
 +
 +
Error Handling Vulnerability
 +
 +
Input Validation Vulnerability
 +
 +
Logging and Auditing Vulnerability
 +
 +
Session Management Vulnerability]]
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:General Logic Error Vulnerability]]
 +
[[Category:Implementation]]
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:OWASP_CLASP_Project]]

Latest revision as of 13:29, 27 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 05/27/2009

Vulnerabilities Table of Contents


Description

Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should not be used.

Consequences

Unspecified.

Exposure period

  • Pre-design through Build: The use of tools to detect this problem is recommended.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies

Platform

  • Languages: C/C++/Java
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

Medium

While most languages with similar constructs automatically run only a single branch, C and C++ are different. This has bitten many programmers, and can lead to critical code executing in situations where it should not.


Risk Factors

TBD

Examples

Java:

{    
    int month = 8;
        switch (month) {
            case 1:  print("January");
            case 2:  print("February");
            case 3:  print("March");
            case 4:  print("April");
            case 5:  println("May");
            case 6:  print("June");
            case 7:  print("July");
            case 8:  print("August");
            case 9:  print("September");
            case 10: print("October");
            case 11: print("November");
            case 12: print("December");
        }
        println(" is a great month");
  }

C/C++:

Is identical if one replaces print with printf or cout.

One might think that if they just tested case12, it will display that the respective month "is a great month." However, if one tested November, one notice that it would display "November December is a great month."


Related Attacks


Related Vulnerabilities

Related Controls

  • Pre-design through Build: Most static analysis programs should be able to catch these errors.
  • Implementation: The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.


Related Technical Impacts


References

TBD