Description
The program uses an expression in which operator precedence causes incorrect logic to be used.
While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Low
Related Weaknesses
Consequences
Confidentiality, Integrity, Availability: Varies by Context, Unexpected State
The consequences will vary based on the context surrounding the incorrect precedence. In a security decision, integrity or confidentiality are the most likely results. Otherwise, a crash may occur due to the software reaching an unexpected state.
Potential Mitigations
Phase: Implementation
Effectiveness:
Description:
Regularly wrap sub-expressions in parentheses, especially in security-critical code.
CVE References
- CVE-2008-2516
- Authentication module allows authentication bypass because it uses “(x = call(args) == SUCCESS)” instead of “((x = call(args)) == SUCCESS)”.
- CVE-2008-0599
- Chain: Language interpreter calculates wrong buffer size (CWE-131) by using “size = ptr ? X : Y” instead of “size = (ptr ? X : Y)” expression.
- CVE-2001-1155
- Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.