CWE-456: Missing Initialization of a Variable

Description

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

This function attempts to extract a pair of numbers from a user-supplied string.


die("Did not specify integer value. Die evil hacker!\n");
// /* proceed assuming n and m are initialized correctly */// 
int m, n, error;error = sscanf(untrusted_input, "%d:%d", &m, &n);if ( EOF == error ){}void parse_data(char *untrusted_input){}

This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:

123:

then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).

Example - 2

Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.



// // Do something interesting.// 
// // Throws NPE if user hasn't been properly initialized.// 
...String username = user.getName();private User user;public void someMethod() {}

Example - 3

This code first authenticates a user, then allows a delete command if the user is an administrator.

$isAdmin = true;
// /.../// 
deleteUser($userToDelete);if (authenticate($username,$password) && setAdmin($username)){}if ($isAdmin){}

The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.

Example - 4

In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.



// // user allowed to perform bank manager tasks// 
// // constructor for BankManager class// 
...
// // retrieve user from database of users// 
...
// // set user variable using username// 
this.user = getUserFromUserDatabase(username);
// // authenticate user// 
isUserAuthentic = true;
if (username.equals(user.getUsername()) && password.equals(user.getPassword())) {}return isUserAuthentic;
// // methods for performing bank manager tasks// 
private User user = null;private boolean isUserAuthentic = false;public BankManager() {}public User getUserFromUserDatabase(String username){}public void setUser(String username) {}public boolean authenticateUser(String username, String password) {}...public class BankManager {}

However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.



// // user allowed to perform bank manager tasks// 
// // constructor for BankManager class// 
user = getUserFromUserDatabase(username);
// // retrieve user from database of users// 
// // authenticate user// 
System.out.println("Cannot find user " + username);
isUserAuthentic = true;if (password.equals(user.getPassword())) {}
if (user == null) {}else {}return isUserAuthentic;

// // methods for performing bank manager tasks// 
...
private User user = null;private boolean isUserAuthentic = false;public BankManager(String username) {}public User getUserFromUserDatabase(String username) {...}public boolean authenticateUser(String username, String password) {}public class BankManager {}

Example - 5

This example will leave test_string in anunknown condition when i is the same value as err_val,because test_string is not initialized(CWE-456). Depending on where this code segment appears(e.g. within a function body), test_string might berandom if it is stored on the heap or stack. If thevariable is declared in static memory, it might be zeroor NULL. Compiler optimization might contribute to theunpredictability of this address.


test_string = "Hello World!";
char *test_string;if (i != err_val){}printf("%s", test_string);

When the printf() is reached,test_string might be an unexpected address, so theprintf might print junk strings (CWE-457).To fix this code, there are a couple approaches tomaking sure that test_string has been properly set onceit reaches the printf().One solution would be to set test_string to anacceptable default before the conditional:


test_string = "Hello World!";
char *test_string = "Done at the beginning";if (i != err_val){}printf("%s", test_string);

Another solution is to ensure that eachbranch of the conditional - including the default/elsebranch - could ensure that test_string is set:


test_string = "Hello World!";
test_string = "Done on the other side!";
char *test_string;if (i != err_val){}else {}printf("%s", test_string);

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 22, 2024 8:18