Missing Initialization of a Variable

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

  • Source

    CWE Catalog - 4.17

  • Identifier

    CWE-456

  • Status

    Draft

Contents

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

This function attempts to extract a pair of numbers from a user-supplied string.

void parse_data(char *untrusted_input){

  int m, n, error;
  error = sscanf(untrusted_input, "%d:%d", &m, &n);
  if ( EOF == error ){
    die("Did not specify integer value. Die evil hacker!\n");
  }
  /* proceed assuming n and m are initialized correctly */


}

This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:

123:

then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).

Example Two

Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.

private User user;
public void someMethod() {


  // Do something interesting.
  ...

  // Throws NPE if user hasn't been properly initialized.
  String username = user.getName();

}

Example Three

This code first authenticates a user, then allows a delete command if the user is an administrator.

if (authenticate($username,$password) && setAdmin($username)){
  $isAdmin = true;
}
/.../

if ($isAdmin){
  deleteUser($userToDelete);
}

The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.

Example Four

In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.

public class BankManager {



  // user allowed to perform bank manager tasks
  private User user = null;
  private boolean isUserAuthentic = false;

  // constructor for BankManager class
  public BankManager() {
    ...
  }

  // retrieve user from database of users
  public User getUserFromUserDatabase(String username){
    ...
  }

  // set user variable using username
  public void setUser(String username) {
    this.user = getUserFromUserDatabase(username);
  }

  // authenticate user
  public boolean authenticateUser(String username, String password) {
    if (username.equals(user.getUsername()) && password.equals(user.getPassword())) {
      isUserAuthentic = true;
    }
    return isUserAuthentic;
  }

  // methods for performing bank manager tasks
  ...

}

However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.

public class BankManager {



  // user allowed to perform bank manager tasks
  private User user = null;
  private boolean isUserAuthentic = false;

  // constructor for BankManager class
  public BankManager(String username) {
    user = getUserFromUserDatabase(username);
  }

  // retrieve user from database of users
  public User getUserFromUserDatabase(String username) {...}

  // authenticate user
  public boolean authenticateUser(String username, String password) {

    if (user == null) {
      System.out.println("Cannot find user " + username);
    }
    else {
      if (password.equals(user.getPassword())) {
        isUserAuthentic = true;
      }
    }
    return isUserAuthentic;

  }



    // methods for performing bank manager tasks
    ...




}

Example Five

This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.

char *test_string;
if (i != err_val)
{

  test_string = "Hello World!";
}
printf("%s", test_string);

When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457).

To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf().

One solution would be to set test_string to an acceptable default before the conditional:

char *test_string = "Done at the beginning";
if (i != err_val)
{

  test_string = "Hello World!";
}
printf("%s", test_string);

Another solution is to ensure that each branch of the conditional - including the default/else branch - could ensure that test_string is set:

char *test_string;
if (i != err_val)
{

  test_string = "Hello World!";
}
else {

  test_string = "Done on the other side!";
}
printf("%s", test_string);

Example Six

Consider the following merchant server application as implemented in [REF-1475]. It receives card payment information (orderPgData instance in OrderPgData.java) from the payment gateway (such as PayPal). The next step is to complete the payment (finalizeOrder() in Main.java). The merchant server validates the amount (validateAmount() in OrderPgData.java), and if the validation is successful, then the payment is completed.

File: OrderPgData.java

public class OrderPgData {

  String PgType;
  int productPrice;
  int paymentAmount;
  private boolean isPaymentAmountTampered;

    public boolean getIsPaymentAmountTampered() {

      return this.isPaymentAmountTampered;

    }

  ...

public void validateAmount() {

  ... [sets this.setIsPaymentAmountTampered to true or false depending on whether the product price matches the payment amount]

}
File: PgServiceResolver.java

public class PgServiceResolver {

  public OrderPgData getOrderPgDataByPgType(String pgType, int productPrice, int paymentAmount) {

    ...
    switch(pgType) {

      case "card":

        System.out.println("In "+pgType+" payment logic, orderPgData does not verify whether the product amount and payment amount have been tampered with.");
        break;

      case "paypal":

        System.out.println("In "+pgType+" payment logic, orderPgData verifies whether the product amount and payment amount have been tampered with.");
        orderPgData.validateAmount();
        break;

      }
      ...
File: Main.java

public class Main {

  public static void main(String[] args) {
    String pgType = "card"; // or paypal
    int productPrice = 100;
    int paymentAmount = 10;
    PgServiceResolver pgServiceResolver = new PgServiceResolver();
    OrderPgData orderPgData = pgServiceResolver.getOrderPgDataByPgType(pgType, productPrice, paymentAmount);
    finalizeOrder(orderPgData);

  }
  private static void finalizeOrder(OrderPgData orderPgData) {

    if (orderPgData.getIsPaymentAmountTampered()) {

      System.out.println("The attacker tampered with the payment amount, but product payment is canceled.");

    } else {

      ... /* the product payment is completed */

    }
  }
}

In PgServiceResolver.java, when pgType is "card" indicating a card payment, orderPgData.validateAmount() is not called - that is, the amount is not validated to be the same as the expected price.

Since isPaymentAmountTampered is declared as a private boolean, but it is not initialized, it is forcibly initialized to false by the Java compiler [REF-1476].

If the adversary modifies the price, e.g., changing paymentAmount from 100 to 10, then no validation is performed. Since isPaymentAmountTampered is "false" because of the default initialization, the code finishes processing the payment because it does not believe that the amount has been changed.

This weakness could be addressed by setting the value of isPaymentAmountTampered to true. This is a "secure-by-default" value that reflects a "default deny" policy - i.e., it's assumed that the payment amount is tampered, and only a special validation step can change this assumption.

File: OrderPgData.java
...

  private boolean isPaymentAmountTampered = true;

See Also

Comprehensive Categorization: Resource Lifecycle Management

Weaknesses in this category are related to resource lifecycle management.

SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL)

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

SEI CERT C Coding Standard - Guidelines 12. Error Handling (ERR)

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

CWE Cross-section

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful t...

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.