Omitted break statement

Revision as of 06:04, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[ antivirus internet worm protection signature ] sitemap [ air compressor australia ] [ african story ] [ australia dating perth ] [ symantics antivirus ] [ african american church directory florida in orlando ] [ african grey breeders in ontario ] [ autocollimator tutorial ] [ lees auto ] top [ postal charges australia ] [ avg antivirus registration ] aboriginal names australia chery automobile co [ symantics norton antivirus ] [ ilford printasia photo paper ] [ cherry china auto ] [ adult asian free movie woman ] [ symantec antivirus client removal tool ] [ south africa apartments for sale ] [ automobile complaints ] page charity children africa [ listera australis ] collective unconscious autonomic nervous system [ rosebank college south africa ] [ autograph evolution star war ] [ asian bedroom themes ] [ business lists australia ] [ galderma australia pty ltd ] [ book on south africa ] [ auto plus relocation ] [ asian male models portfolio ] [ automotive security system viper ] [ bajaj auto india website ] [ top ten antivirus program ] [ asian cinemas ] [ cronulla beach australia day ] page [ alamo car hire south africa ] map [ automobile dealer association ] [ antivirus servers ] [ hire cars south africa ] [ the sebel pier one sydney australia ] [ avg antivirus 7 crack ] [ gaping asian holes ] This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents


Omitting a break statement so that one may fall through is often indistinguishable from an error, and therefore should not be used.



Exposure period

  • Pre-design through Build: The use of tools to detect this problem is recommended.
  • Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies


  • Languages: C/C++/Java
  • Operating platforms: Any

Required resources




Likelihood of exploit


While most languages with similar constructs automatically run only a single branch, C and C++ are different. This has bitten many programmers, and can lead to critical code executing in situations where it should not.

Risk Factors




    int month = 8;
        switch (month) {
            case 1:  print("January");
            case 2:  print("February");
            case 3:  print("March");
            case 4:  print("April");
            case 5:  println("May");
            case 6:  print("June");
            case 7:  print("July");
            case 8:  print("August");
            case 9:  print("September");
            case 10: print("October");
            case 11: print("November");
            case 12: print("December");
        println(" is a great month");


Is identical if one replaces print with printf or cout.

One might think that if they just tested case12, it will display that the respective month "is a great month." However, if one tested November, one notice that it would display "November December is a great month."

Related Attacks

Related Vulnerabilities

Related Controls

  • Pre-design through Build: Most static analysis programs should be able to catch these errors.
  • Implementation: The functionality of omitting a break statement could be clarified with an if statement. This method is much safer.

Related Technical Impacts