logo

Insufficient Control Flow Management

Draft Pillar
Structure: Simple
Description

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Common Consequences 1
Scope: Other

Impact: Alter Execution Logic
Demonstrative Examples 3

ID : DX-24

The following function attempts to acquire a lock in order to perform operations on a shared resource.

Code Example:

Bad
C
c

/* access shared resource /

c
However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.
In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels.

Code Example:

Good
C
c

/* access shared resource /

c

ID : DX-181

In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.

Code Example:

Bad
C
c
This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.

ID : DX-157

This function prints the contents of a specified file requested by a user.

Code Example:

Bad
PHP
php

//read file into string* $file = file_get_contents($filename); if ($file && isOwnerOf($username,$filename)){ ``` echo $file; return true; } else{ echo 'You are not authorized to view this file'; } return false; }

This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
  
Observed Examples 3
CVE-2019-9805Chain: Creation of the packet client occurs before initialization is complete (Incorrect Behavior Order) resulting in a read from uninitialized memory (Use of Uninitialized Resource), causing memory corruption.
CVE-2014-1266chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). Incorrect Control Flow Scoping (Incorrect Control Flow Scoping) -> Dead Code (Dead Code) -> Improper Certificate Validation (Improper Certificate Validation) -> Return of Wrong Status Code (Return of Wrong Status Code) -> Channel Accessible by Non-Endpoint (Channel Accessible by Non-Endpoint).
CVE-2011-1027Chain: off-by-one error (Off-by-one Error) leads to infinite loop (Loop with Unreachable Exit Condition ('Infinite Loop')) using invalid hex-encoded characters.
   
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
 
 
Technologies:
 
 
 Not Technology-Specific : Undetermined 
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
  Implementation  
 
 
 
  
Related Attack Patterns 
         
Taxonomy Mapping 
  • WASC