Uninitialized Variable

From Guidance Share

Jump to: navigation, search

Contents

Description

Using the value of an uninitialized variable is not safe.

Applies To

  • Languages: C/C++
  • Operating platforms: Any

Example

The following code checks the value of foo without having initialized it:

int foo;
void bar(){
 if (foo==0) /.../
 /../
}

The value of foo is not guaranteed and can change on each run.

Impact

  • Integrity: Initial variables usually contain junk, which can not be trusted for consistency.
  • Authorization: Strings which are not initialized are especially dangerous, since many functions expect a null at the end of a string.

Vulnerabilities

  • Failure to initialize variables before use, especially when used in a logical condition.

Countermeasures

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Design: Mitigating technologies such as safe string libraries and container abstractions could be introduced.
  • Implementation: Assign all variables to an initial variable.
  • Build: Most compilers will complain about the use of unitinlizazed variables if warnings are turned on.

Vulnerability Patterns

How Tos

Personal tools