...
If the vulnerable program references memory offset from the return value, an attacker can exploit the program to read or write arbitrary memory. This vulnerability has been used to execute arbitrary code [VU#159523].
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM52-CPP | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
| Compass/ROSE |
| Coverity | 7.5 | CHECKED_RETURN | Finds inconsistencies in how function call return values are handled | ||||||
| LDRA tool suite |
| 45 D | Partially implemented | ||||||
| Parasoft C/C++test |
|
|
| MRM-34 |
| Parasoft Insure++ |
| Runtime detection |
| PRQA QA-C++ | 4.1 | 4632, 3225, 3226, 3227, 3228, 3229 |
| PVS-Studio | 6.22 | V522 | General analysis rule |
Related Vulnerabilities
The vulnerability in Adobe Flash [VU#159523] arises because Flash neglects to check the return value from calloc(). Even though calloc() returns NULL, Flash does not attempt to read or write to the return value. Instead, it attempts to write to an offset from the return value. Dereferencing NULL usually results in a program crash, but dereferencing an offset from NULL allows an exploit to succeed without crashing the program.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C Coding Standard | ERR33-C. Detect and handle standard library errors |
| MITRE CWE | CWE 252, Unchecked Return Value |
Bibliography
| [ISO/IEC 9899:2011] | Subclause 7.20.3, "Memory Management Functions" |
| [ISO/IEC 14882-2014] | Subclause 18.6.1.1, "Single-Object Forms" |
| [Meyers 1996] | Item 7, "Be Prepared for Out-of-Memory Conditions" |
| [Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
...
...