Page History

Comparing a function pointer to a value that is not a null function pointer of the same type will be diagnosed because it typically indicates programmer error and can result in unexpected behavior. Implicit comparisons will be diagnosed, as well.

...

In this noncompliant code example, the addresses of the POSIX functions getuid and geteuid are compared for equality to 0. Since the address of Because no function is address shall be null, the first subexpression will always evaluate to false (zero0), and the second subexpression always to true (nonzero). Consequently, the entire expression will always evaluate to true, leading to a potential security vulnerability.

Code Block

bgColor	#FFcccc
lang	c

/* First the options that are allowed only allowed for root */
if (getuid == 0 || geteuid != 0) {
  /* ... */
}

...

In this noncompliant code example, the function pointers getuid and geteuid are compared to 0. This noncompliant code example is from an actual vulnerability (VU#837857) discovered in some versions of the X Window System server. The vulnerability exists because the programmer neglected to provide the open and close parentheses following the geteuid() function identifier. As a result, the geteuid token returns the address of the function, which is never equal to zero0. Consequently, the or condition of this if statement is always true, and access is provided to the protected block for all users. Many compilers issue a warning noting such pointless expressions. Therefore, this coding error is normally detected by adherence to MSC00-C. Compile cleanly at high warning levels.

Code Block

bgColor	#FFcccc
lang	c

/* First the options that are allowed only allowed for root */
if (getuid() == 0 || geteuid != 0) {
  /* ... */
}

...

The solution is to provide the open and close parentheses following the geteuid token so that the function is properly invoked.:

Code Block

bgColor	#ccccff
lang	c

/* First the options that are allowed only allowed for root */
if (getuid() == 0 || geteuid() != 0) {
  /* ... */
}

...

A function pointer can be compared to a null function pointer of the same type.:

Code Block

bgColor	#ccccff
lang	c

/* First the options that are allowed only allowed for root */ 
if (getuid == (uid_t(*)(void))0 || geteuid != (uid_t(*)(void))0) { 
  /* ... */ 
}

...

In this noncompliant code example, the function pointer do_xyz is implicitly compared unequal to 0.:

Code Block

bgColor	#FFcccc
lang	c

int do_xyz(void); 
 
int f(void) {
/* ... */
  if (do_xyz) { 
    return -1; /* handle error Indicate failure */ 
  }
/* ... */
  return 0;
}

Compliant Solution

In this compliant solution, the function do_xyz() is invoked and the return value is compared to 0.:

Code Block

bgColor	#ccccff
lang	c

int do_xyz(void); 
 
int f(void) {
/* ... */ 
  if (do_xyz()) { 
    return -1; /* Indicate failure * handle error/
  }
/* ... */
  return 0;  
}

Risk Assessment

Errors of omission can result in unintended program flow.

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
EXP16-C

low

Low

likely

Likely

medium

Medium

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

function-name-constant-comparison

Partially checked

Coverity

Include Page

	Coverity_V
	Coverity_V

BAD_COMPARE

Can detect the specific instance where the address of a function is compared against 0, such as in the case of geteuid versus getuid() in the implementation-specific details

GCC

Include Page