Page History

...

/* First the options that are only allowed for root */
if (getuid == 0 || geteuid != 0) {
  /* ... */
}

...

This noncompliant code example is from an actual vulnerability (VU#837857) discovered in some versions of the X Window System server. The vulnerability exists because the programmer neglected to provide the open and close parentheses following the geteuid() function identifier. As a result, the geteuid token returns the address of the function, which is never equal to zero. As a result, the or condition of this if statement is always true and access is provided to the protected block for all users. Many compilers issue a warning noting such pointless expressions. Therefore, this coding error is normally detected by adherence to recommendation MSC00-C. Compile cleanly at high warning levels.

/* First the options that are only allowed for root */
if (getuid() == 0 || geteuid != 0) {
  /* ... */
}

...

/* First the options that are only allowed for root */
if (getuid() == 0 || geteuid() != 0) {
  /* ... */
}

...

/* First the options that are only allowed for root */ 
if (getuid == (uid_t(*)(void))0 || geteuid != (uid_t(*)(void))0) { 
  /* ... */ 
} 

...

int do_xyz(void); 
 
if (do_xyz) { 
  /* handle error */ 
} 

...

int do_xyz(void); 
 
if (do_xyz()) { 
  /* handle error */ 
} 

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C++ Secure Coding Standard: EXP16-CPP. Avoid conversions using void pointers

ISO/IEC TR 17961 (Draft) Comparing function addresses to zero [funcaddr]

ISO/IEC TR 24772 "KOA Likely Incorrect Expressions"

...