CWE-482: Comparing instead of Assigning

Description

The code uses an operator for comparison when the intention was to perform an assignment.

In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.

Potential Impact

Availability, Integrity

Unexpected State

Demonstrative Examples

The following example demonstrates the weakness.

Bad

void called(int foo) {foo==1;if (foo==1) System.out.println("foo\n");}int main() {
                        
                           called(2);return 0;
                     }

The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable.

Bad

#define SIZE 50int *tos, *p1, stack[SIZE];
                     void push(int i) {
                        p1++;if(p1==(tos+SIZE)) {
                              
                                 
                                 // Print stack overflow error message and exit
                                 
                              
                           }*p1 == i;
                     }
                     int pop(void) {
                        if(p1==tos) {
                              
                                 
                                 // Print stack underflow error message and exit
                                 
                              
                           }p1--;return *(p1+1);
                     }
                     int main(int argc, char *argv[]) {
                        
                           
                           // initialize tos and p1 to point to the top of stack
                           tos = stack;p1 = stack;
                           // code to add and remove items from stack
                           ...return 0;
                     }

The push method includes an expression to assign the integer value to the location in the stack pointed to by the pointer variable.

However, this expression uses the comparison operator "==" rather than the assignment operator "=". The result of using the comparison operator instead of the assignment operator causes erroneous values to be entered into the stack and can cause unexpected results.

Mitigations & Prevention

Testing

Many IDEs and static analysis products will detect this problem.

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Automated Static Analysis - Source Code — An Integrated Development Environment (IDE) or linter can report or highlight this weaknesses.

Taxonomy Mappings

CLASP: — Comparing instead of assigning
Software Fault Patterns: SFP2 — Unused Entities

Frequently Asked Questions

What is CWE-482?

CWE-482 (Comparing instead of Assigning) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The code uses an operator for comparison when the intention was to perform an assignment.

How can CWE-482 be exploited?

Attackers can exploit CWE-482 (Comparing instead of Assigning) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-482?

Key mitigations include: Many IDEs and static analysis products will detect this problem.

What is the severity of CWE-482?

CWE-482 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.