1. Home
  2. CWE Database
  3. CWE-768
Variant · Low-Medium

CWE-768: Incorrect Short Circuit Evaluation

The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program...

CWE-768 · Variant Level ·1 Mitigations

Description

The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.

Usage of short circuit evaluation, though well-defined in the C standard, may alter control flow in a way that introduces logic errors that are difficult to detect, possibly causing errors later during the product's execution. If an attacker can discover such an inconsistency, it may be exploitable to gain arbitrary control over a system. If the first condition of an "or" statement is assumed to be true under normal circumstances, or if the first condition of an "and" statement is assumed to be false, then any subsequent conditional may contain its own logic errors that are not detected during code review or testing. Finally, the usage of short circuit evaluation may decrease the maintainability of the code.

Potential Impact

Confidentiality, Integrity, Availability

Varies by Context

Demonstrative Examples

The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user.
Bad
#define PRIV_ADMIN 0#define PRIV_REGULAR 1typedef struct{int privileges;int id;} user_t;user_t *Add_Regular_Users(int num_users){user_t* users = (user_t*)calloc(num_users, sizeof(user_t));int i = num_users;while( --i && (users[i].privileges = PRIV_REGULAR) ){users[i].id = i;}return users;}int main(){user_t* test;int i;test = Add_Regular_Users(25);for(i = 0; i < 25; i++) printf("user %d has privilege level %d\n", test[i].id, test[i].privileges);}
When compiled and run, the above code will output a privilege level of 1, or PRIV_REGULAR for every user but the user with id 0 since the prefix increment operator used in the if statement will reach zero and short circuit before setting the 0th user's privilege level. Since we used calloc, this privilege will be set to 0, or PRIV_ADMIN.

Mitigations & Prevention

Implementation

Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-691: Insufficient Control Flow Management

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow c...

Taxonomy Mappings

  • CLASP: — Failure to protect stored data from modification
  • Software Fault Patterns: SFP1 — Glitch in computation

Frequently Asked Questions

What is CWE-768?

CWE-768 (Incorrect Short Circuit Evaluation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program...

How can CWE-768 be exploited?

Attackers can exploit CWE-768 (Incorrect Short Circuit Evaluation) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-768?

Key mitigations include: Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.

What is the severity of CWE-768?

CWE-768 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.