Spot the Bug! : Spot the Bug

Tuesday, August 16, 2005 7:42 PM rsamona

Spot the Bug - August 16, 2005

If you haven't taken a look at the solution to the last bug, please do so. There were 4 bugs in that short chink of code -- all of which are found in Visual Studio 2005! One is issued as a compiler warning and the other 3 are found by PREfast.

Here is the next "Spot the Bug." This one is certainly more lengthy and complex than the last. There were some typos in the original post which were fixed.
Courtesy of Shanit Gupta, Consultant (Foundstone)

private void TransferFunds ()
{
...
if (fromaccount.balance > amount) {
fromaccount.balance -= amount;
toaccount.balance += amount;
}
...
}

private void RetrieveAccountInfo (int payer, int payee)
{
...
...
...
fromAccount = RetrieveFundInfo(myConnection, payer);
toAccount = RetrieveFundInfo(myConnection, payee);
TransferFunds();
CommitChanges (fromAccount.number, fromAccount.balance);
CommitChanges (toAccount.number, toAccount.balance);
}

private int RetrieveFundInfo (SqlConnection myConnection, int accountNumber)
{
string mySelectQuery = "SELECT balance FROM Customers where accountnumber = " + “’” + accountNumber + “’”;
SqlCommand myCommand = new SqlCommand(mySelectQuery,myConnection);
SqlDataReader myReader = myCommand.ExecuteReader();
return myReader.GetInt32(0);
}

private void CommitChanges (int accountNumber, int balance);
{
string mySelectQuery = "UPDATE Customers Set Balance = “ + “’” + balance + “’” + “where AccountNumber = " + “’” + accountNumber + “’”;
SqlCommand myCommand = new SqlCommand(mySelectQuery,myConnection);
myCommand.ExecuteNonQuery();
}

Suggested Implementation:

private void TransferFunds ()

{

if (fromaccount.balance > amount) {

fromaccount.balance -= amount;

toaccount.balance += amount;

}

private void RetrieveAccountInfo (int payer, int payee)

{

...

SqlTransaction myTrans;

myTrans = myConnection.BeginTransaction("SampleTransaction");

try

{

fromAccount = RetrieveFundInfo(myConnection, payer);

toAccount = RetrieveFundInfo(myConnection, payee);

TransferFunds();

CommitChanges (fromAccount.number, fromAccount.balance);

CommitChanges (toAccount.number, toAccount.balance);

myTrans.Commit();

}

catch(Exception e)

{

try

{

myTrans.Rollback("SampleTransaction");

}

catch (SqlException ex)

{

if (myTrans.Connection != null)

{

Console.WriteLine("An exception of type " + ex.GetType() +

" was encountered while attempting to roll back the transaction.");

}

Console.WriteLine("An exception of type " + e.GetType() +

" was encountered while inserting the data.");

Console.WriteLine("Neither record was written to database.");

}

finally

{

myConnection.Close();

}

private int RetrieveFundInfo (SqlConnection myConnection, int accountNumber)

{

string mySelectQuery = "SELECT balance FROM Customers where accountnumber = " + “’” + accountNumber + “’”;

SqlCommand myCommand = new SqlCommand(mySelectQuery,myConnection);

SqlDataReader myReader = myCommand.ExecuteReader();

Return myReader.GetInt32(0);

}

private void CommitChanges (int accountNumber, int balance);

{

        string mySelectQuery = "UPDATE Customers Set Balance = “ + “’” + balance + “’”  + “where AccountNumber = " + “’” + accountNumber + “’”;

        SqlCommand myCommand = new SqlCommand(mySelectQuery,myConnection);

        myCommand.ExecuteNonQuery();

}

Description: Race conditions happen in a multi-threaded (process) environment where there is a window of vulnerability for state corruption and compromise. The condition occurs owing to the fact that the information read is different from information processed, which leaves the state inconsistent or incorrect. One way to avoid this possibility is by gaining exclusive locks on the rows that are being read and updated. The suggested code uses “SqlTransaction myTrans” which locks the rows for isolation property of the transaction.

Filed under: Bug Squashed

Comments

# re: Spot the Bug - August 16, 2005

Tuesday, August 16, 2005 11:59 PM by Ryan Russell

# re: Spot the Bug - August 16, 2005

Wednesday, August 17, 2005 12:11 AM by Ryan Russell

private void TransferFunds ()
{
...
if (fromaccount.balance > amount) {
fromaccount.balance --= amount;
toaccount.balance ++= amount;

So, we check if the balance is greater than the amount. We can't leave a 0 balance, we have to leave something behind? Though that may just be a business logic bug, not a security bug.

I don't even know what --= and ++= will do, surely they meant -= and += ?

Note that the account structs used in this function appear to be neither parameters nor locals. So we assume they are globals.

Note that we don't see the type declarations. It may be possible to use negative amounts, which will transfer funds in the opposite direction.

private void RetrieveAccountInfo (fromAccount, toAccount)

Now they are being passed as parameters. Case is a little different, though. Might be different structs, but if so, it's not a great idea having such similarly-named variables.

toAccoutn = RetrieveFundInfo(myConnection, toAccount.number);

Typo? (toAccoutn)

string mySelectQuery = "SELECT balance FROM Customers where accountnumber = " + “’” + accountNumber + “’”;

I'm looking for the SQL injection... but since accountnumber is an int, I'm not seeing it.

Now wait...
commitchanges (fromAccount, toAccount);
...
Private void CommitChanges (int accountNumber, int balance);

There's a parameter meaning mismatch... the functions treas it as a balance, but it's getting passed an account number. The result being that the balance gets set to the account number. I hope I have a high account number.

But I'm hung up on the fact that the two CommitChanges calls have different case. Are they supposed to be the same?

I'd ideally like to see a little more context, and fixes to what I think are probably typos, and not part of the intended challenge.

# re: Spot the Bug - August 16, 2005

Wednesday, August 17, 2005 1:02 AM by D.J. Capelis

This code is a mess, but one thing that should be pointed out that hasn't been is that the CommitChanges function _really_ should be using transactions and doesn't appear to be.

One hopes that it's hooked up to a transactional database as well, because if it isn't that's a pretty large issue.

And you know, there's the usual gammut of coding errors as well, but the totally lack of using transactions annoyed me.

# re: Spot the Bug - August 16, 2005

Wednesday, August 17, 2005 11:28 AM by Bill

fromaccount.balance --= amount;

would rebind like fromaccount.balance-- = amount;

From the order of precedence table this would:

a. decrement fromaccount.balance by 1.
b. then assign the amount to the fromacccount.balance.

Very much not intended. Same with the ++= line. Instead of incrementing or decrementing by the amount its setting to the amount. Very bad.

There should be a transaction and lock around the retrieve and commit calls to prevent anything, including another thread, from modifiying the database while this transaction is in progress.

fromAccount = RetrieveFundInfo(myConnection, fromAccount.number);
toAccoutn = RetrieveFundInfo(myConnection, toAccount.number);
commitchanges (fromAccount, toAccount);

Typo?? toAccoutn?? should be toAccoutn

This line, and the next one, is a little strange:

fromAccount = RetrieveFundInfo(myConnection, fromAccount.number);

its resetting a parameter, which to me appears to be an object or struct. And therefore isn't possible to set an int value into it. Compiler should throw an exception on these two lines.

Also there is no commitchanges that matches those parameters. Since fromAccount and toAccount are objects or structs and not ints they don't match.

- Bill

# re: Spot the Bug - August 16, 2005

Wednesday, August 17, 2005 11:50 AM by Shaun Bedingfield

Well, as people have pointed out the code is malformed.

The input values are not checked here so you could possibly transfer a negative amount.. Could I transfer -1000000 from my account to Bill's?

RetrieveAccountInfo needs to differentiate the inputs from the numbers it recieves from the function calls otherwise as people have pointed out the types are wrong.

As far as SQL injection, I would think integer overflow with code like this but the code is too poor to tell. Maybe IntelliCompiler technology can make sense of it, I can't.

Shaun Bedingfield
blogsb.blogspot.com
shaunbed@swbell.net

# re: Spot the Bug - August 16, 2005

Wednesday, August 17, 2005 11:54 AM by Shaun Bedingfield

Sanity or bounds checking is a big problem. Last time I checked Netflix allowed you to divide your movies into subaccounts. If you have two subaccounts with a total of four rentals, one can rent -5 movies and the other can rent 9. I hope they have fixed this.

# re: Spot the Bug - August 16, 2005

Wednesday, August 17, 2005 2:04 PM by RAJ JEYA PANDIAN

THE OLD WAITE CABIN IS GOING THROUGH SOME R&R
THIS TYPE OF SITE REPAIR IS HARD WHEN THE RETIRED NEIGHBORS ARE ACCOUNTED FOR
SINCERELY
RAJ

# re: Spot the Bug - August 16, 2005

Wednesday, August 17, 2005 9:56 PM by Bart

I certainly do agree with (most of) the stuff aforementioned in earlier feedbacks. Here's a list of my feedback:

1. In TransferFunds I hope the variables fromaccount and toaccount are checked for null values. Also, a check for the specified amount is needed. Finally, the -= and +- operators could lead to integer overflows; the code should be "checked" to make sure these conditions are signaled through exceptions.
2. If TransferFunds has to run in a multithreaded environment, it's important to realize that the -= amount and += amount operations are not atomic and you can have issues with dirty reads etc. Instead, both operations should be wrapped in a critical section.
3. It's not clear what the difference between toAccount and toaccount (idem for fromAccount and fromaccount) is due to lack of specification. fromaccount and toaccount are global variables anyway, but in RetrieveAccountInfo the fromAccount and toAccount need to be ints (see return type of RetrieveFundInfo). However, in that case fromAccount.number and toAccount.number do not have any meaning (idem for .balance). There's clearly a type clash in this piece of code.
4. RetrieveFundInfo doesn't check the accountNumber for sanity (i.e. bounds checking).
5. RetrieveFundInfo operates on a SqlConnection with an unknown state. The myCommand.ExecuteReader() requires an open connection. There's no code to manage the status of the connection whatsoever.
6. Sharing the SqlConnection between RetrieveFundInfo and CommitChanges is not a good idea (see number 5 too). The use of connection pooling is much better, while having every method maintaining its own connection instance(s). Note: this won't be a solution if transactions are used, and transactions *should* be used (see further)!
7. RetrieveFundInfo can select an invalid account, which will cause the reader to fail while getting the first row/column. There should be at least exception handling.
8. RetrieveFundInfo can better use ExecuteScalar to retrieve the single value.
9. RetrieveFundInfo and CommitChanges both use non-parameterized SQL statements which are built using string concatentation, which is not a good idea at all. The accountnumber field seems not to be numerical because of the single quotes that are appended to the string. If you mean an account "00001234" (int in C#) you'll actually pass "1234" as a string to SQL Server. The same holds for the balance field of which the type is unclear (also remark the use of single quotes). Parameterized SqlCommands would be much better, also using strong typing.
10. Lack of transactions throughout the code. All database operations that update the balance should occur in one transaction.
11. CommitChanges does not check for failure or success. No exceptions are caught and thrown, no return type is specified.

As a final remark, the code would be much better as:
- one method, one SqlConnection, one SqlTransaction
- parameterized SqlCommand instances that are reused with different parameters, instead of having separate RetrieveFundInfo and CommitChanges methods with unclear SqlConnection pass-through
- use of stored procedures
- exception handling
- solution for possible threading issues

Kind regards,
Bart

# re: Spot the Bug - August 16, 2005

Tuesday, August 23, 2005 5:16 PM by evansight

A big bug (waterbug?) is that there's dynamic sql code used here instead of a locked down stored proc.

New Comments to this post are disabled

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - August 16, 2005

Comments

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005

# re: Spot the Bug - August 16, 2005