This code is a program in C that logs user...

August 23, 2025 at 06:08 PM

#include <stdio.h>
#include <string.h>

// Cliente
typedef struct {
  char nome[20];
  char cognome[20];
  char email[50];
  int puntiFedelta;
} Cliente;

// Ordine
typedef struct {
  char prodotto[30];
  char codiceid[20];
  int quantita;
  double prezzo;
} Ordine;

// Versione BUG (CWE-843: Type Confusion)
// interpreta sempre come Cliente
void logAttivita(void* p) {
  FILE* f = fopen("log.txt", "a");
  if (!f) {
    perror("Errore apertura log.txt");
    return;
  }

  Cliente* c = (Cliente*)p; // ⚠ Type Confusion
  printf("LOG Cliente: %s %s (Email: %s) - Punti: %d\n",
         c->nome, c->cognome, c->email, c->puntiFedelta);

  fprintf(f, "LOG Cliente: %s %s (Email: %s) - Punti: %d\n",
          c->nome, c->cognome, c->email, c->puntiFedelta);

  fclose(f);
}

int main() {
  char scelta;
  printf("Vuoi inserire (C)liente o (O)rdine? ");
  scanf(" %c", &scelta);
  getchar();

  if (scelta == 'C' || scelta == 'c') {
    Cliente c;
    printf("Nome: "); fgets(c.nome, sizeof(c.nome), stdin);
    c.nome[strcspn(c.nome, "\n")] = 0;
    printf("Cognome: "); fgets(c.cognome, sizeof(c.cognome), stdin);
    c.cognome[strcspn(c.cognome, "\n")] = 0;
    printf("Email: "); fgets(c.email, sizeof(c.email), stdin);
    c.email[strcspn(c.email, "\n")] = 0;
    printf("Punti Fedeltà: "); scanf("%d", &c.puntiFedelta);

    logAttivita(&c);
  } else {
    Ordine o;
    printf("Prodotto: "); fgets(o.prodotto, sizeof(o.prodotto), stdin);
    o.prodotto[strcspn(o.prodotto, "\n")] = 0;
    printf("Codice ID: "); fgets(o.codiceid, sizeof(o.codiceid), stdin);
    o.codiceid[strcspn(o.codiceid, "\n")] = 0;
    printf("Quantità: "); scanf("%d", &o.quantita);
    printf("Prezzo: "); scanf("%lf", &o.prezzo);

    logAttivita(&o); // ⚠ BUG: passa Ordine ma viene letto come Cliente
  }
}

This code is a program in C that logs user inputs to a file ("log.txt") and prints logs related to either a Cliente (customer) or Ordine (order). However, it contains a serious bug caused by type confusion (CWE-843).

High-Level Description:

The program allows the user to choose whether to input a Cliente or an Ordine object.
Depending on the choice:
- If the user inputs a Cliente, the relevant fields (name, surname, email, points) are collected.
- If the user inputs an Ordine, the relevant fields (product name, ID, quantity, price) are collected.
The logAttivita() function then logs the data to a file ("log.txt") and outputs it to the console.

The Critical Bug: Type Confusion

In logAttivita(), the program assumes that the input pointer (void* p) always points to a Cliente structure.
However, in the case where an Ordine (order) is passed, the program still treats the block of memory as if it were a Cliente.
This will lead to undefined behavior because:
- The memory layout of Ordine and Cliente structures are different.
- Fields like nome, cognome, etc., are not meaningful in an Ordine structure.
- The program will misinterpret the Ordine bytes, potentially causing invalid data to be logged.

Step-by-Step Analysis:

Input Choice:
- The user is prompted: "Vuoi inserire (C)liente o (O)rdine? ".
- If 'C' or 'c': A Cliente object is filled.
- If 'O' or 'o': An Ordine object is filled.
Function logAttivita():
- Takes a void* pointer as input, which can point to either a Cliente or an Ordine.
- The function always casts the pointer to Cliente*, regardless of what was passed.
- It attempts to log fields like nome, cognome, email, and puntiFedelta as if the data belonged to a Cliente.
If 'C' (Cliente):
- Everything works as expected:
  - Input data is stored in a Cliente instance.
  - logAttivita() accesses and logs the data correctly.
- Example Log:
```
LOG Cliente: Mario Rossi (Email: mario.rossi@example.com) - Punti: 120
```
If 'O' (Ordine):
- The Ordine object is passed to logAttivita().
- The Ordine fields (prodotto, codiceid, quantita, prezzo) are misinterpreted as the fields of a Cliente (nome, cognome, email, puntiFedelta).
- This leads to garbage data being logged.
- Example Log (corrupted):
```
LOG Cliente: RandomCharacters ‘(Email: MoreRandomCharacters) - Punti: LargeGarbageValue
```

Key Problems:

Type Confusion:
- The logAttivita() function is not designed to handle multiple types properly. It blindly assumes the input is a Cliente.
Undefined Behavior:
- The program exhibits undefined behavior because the memory layout of Ordine and Cliente is different. Accessing fields at wrong memory offsets results in:
  - Invalid reads.
  - Garbage data being output and written to the file.
Potential Security Vulnerability:
- Because of the flawed memory interpretation, this could potentially lead to crashes, data corruption, or security issues.

Suggestions for Fixing:

Use type-safe logging:
- Add a mechanism to distinguish between Cliente and Ordine inside logAttivita().
- For example, by adding a type field or using separate functions for logging Cliente and Ordine.

Example Fix:

// Improved log function
void logCliente(Cliente* c) {
    FILE* f = fopen("log.txt", "a");
    if (!f) {
        perror("Errore apertura log.txt");
        return;
    }

    fprintf(f, "LOG Cliente: %s %s (Email: %s) - Punti: %d\n",
            c->nome, c->cognome, c->email, c->puntiFedelta);
    fclose(f);
}

void logOrdine(Ordine* o) {
    FILE* f = fopen("log.txt", "a");
    if (!f) {
        perror("Errore apertura log.txt");
        return;
    }

    fprintf(f, "LOG Ordine: %s (Codice: %s) - Quantità: %d, Prezzo: %.2f\n",
            o->prodotto, o->codiceid, o->quantita, o->prezzo);
    fclose(f);
}

Then, call the appropriate logging function based on the input type.

Use discriminators or tagged unions if multiple types must share the same function:
- Add a type field (enum) and check it before casting.

Conclusion:

This program attempts to log either client or order data but introduces a critical type confusion bug. Proper type handling or functions should be used to ensure correct operation and prevent undefined behavior.

Generate your own explanations

Download our vscode extension

Read other generated explanations

Built by @thebuilderjr