logo

Incorrect Control Flow Scoping

Incomplete Class
Structure: Simple
Description

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

Common Consequences 1
Scope: Other

Impact: Alter Execution LogicOther
Demonstrative Examples 3

ID : DX-39

The following example attempts to resolve a hostname.

Code Example:

Bad
Java
java
A DNS lookup failure will cause the Servlet to throw an exception.

ID : DX-180

This code queries a server and displays its status when a request comes from an authorized IP address.

Code Example:

Bad
PHP
php

...*

This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (Improper Removal of Sensitive Information Before Storage or Transfer).

ID : DX-199

Included in the doPost() method defined below is a call to System.exit() in the event of a specific exception.

Code Example:

Bad
Java
java
Observed Examples 2
CVE-2023-21087Java code in a smartphone OS can encounter a "boot loop" due to an uncaught exception
CVE-2014-1266chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). Incorrect Control Flow Scoping (Incorrect Control Flow Scoping) -> Dead Code (Dead Code) -> Improper Certificate Validation (Improper Certificate Validation) -> Return of Wrong Status Code (Return of Wrong Status Code) -> Channel Accessible by Non-Endpoint (Channel Accessible by Non-Endpoint).
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Insufficient Control Flow Management (CWE-691)
Taxonomy Mapping
  • CERT C Secure Coding
  • CERT C Secure Coding
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • SEI CERT Perl Coding Standard