Operator Precedence Logic Error
Weakness ID: 783 (Weakness Variant)Status: Draft
+ Description

Description Summary

The program uses an expression in which operator precedence causes incorrect logic to be used.

Extended Description

While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.

+ Applicable Platforms

Languages

C: (Rarely)

C++: (Rarely)

Any: (Rarely)

+ Modes of Introduction

Logic errors related to operator precedence may cause problems even during normal operation, so they are probably discovered quickly during the testing phase. If testing is incomplete or there is a strong reliance on manual review of the code, then these errors may not be discovered before the software is deployed.

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability

The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.

+ Likelihood of Exploit

Low

+ Observed Examples
ReferenceDescription
CVE-2008-2516Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
CVE-2008-0599Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
CVE-2001-1155Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
+ Potential Mitigations

Phase: Implementation

Regularly wrap sub-expressions in parentheses, especially in security-critical code.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory569Expression Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class670Always-Incorrect Control Flow Implementation
Research Concepts (primary)1000
ChildOfCategoryCategory737CERT C Secure Coding Section 03 - Expressions (EXP)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT C Secure CodingEXP00-CExactUse parentheses for precedence of operation
+ References
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-07-16MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2009-12-28CWE Content TeamMITREInternal
updated Observed Examples
Back to top