SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 89

changes.mady.by.user Shishir Kumar Yadav

Saved on

compared with

New Version 90

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
This noncompliant code example can be found in {{drivers/net/tun.c}} and affects Linux kernel 2.6.30 \[[Goodin 2009|AA. References#GoodinBibliography#Goodin 2009]\].

Code Block
bgColor#FFCCCC
static unsigned int tun_chr_poll(struct file *file, poll_table * wait)  {
  struct tun_file *tfile = file->private_data;
  struct tun_struct *tun = __tun_get(tfile);
  struct sock *sk = tun->sk;
  unsigned int mask = 0;

  if (!tun)
    return POLLERR;

  DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);

  poll_wait(file, &tun->socket.wait, wait);

  if (!skb_queue_empty(&tun->readq))
    mask |= POLLIN | POLLRDNORM;

  if (sock_writeable(sk) ||
     (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
     sock_writeable(sk)))
    mask |= POLLOUT | POLLWRNORM;

  if (tun->dev->reg_state != NETREG_REGISTERED)
    mask = POLLERR;

  tun_put(tun);
  return mask;
}

...

Wiki Markup
Normally, null pointer dereference results in access violation and abnormal program termination. However, it is possible to permit null pointer dereferencing on several operating systems, for example, using {{mmap(2)}} with the {{MAP_FIXED}} flag on Linux and Mac OS X or using {{shmat(2)}} with the {{SHM_RND}} flag on Linux \[[Liu 2009|AA. References#LiuBibliography#Liu 2009]\].

Compliant Solution

...

Wiki Markup
Dereferencing a null pointer results in undefined behavior, typically abnormal program termination.  In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code \[[Jack 07|AA. References#JackBibliography#Jack 07], [van Sprundel 06|AA. References#vanBibliography#van Sprundel 06]\].  The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.

...

Wiki Markup
\[[Goodin 2009|AA. References#GoodinBibliography#Goodin 2009]\]
\[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\] Section 6.3.2.3, "Pointers"
\[[ISO/IEC PDTR 24772|AA. References#ISOBibliography#ISO/IEC PDTR 24772]\] "HFC Pointer casting and pointer type changes" and "XYH Null Pointer Dereference"
\[[Jack 07|AA. References#JackBibliography#Jack 07]\]
\[[Liu 2009|AA. References#LiuBibliography#Liu 2009]\]
\[[MITRE 07|AA. References#MITREBibliography#MITRE 07]\] [CWE ID 476|http://cwe.mitre.org/data/definitions/476.html], "NULL Pointer Dereference"
\[[van Sprundel 06|AA. References#vanBibliography#van Sprundel 06]\]
\[[Viega 05|AA. References#ViegaBibliography#Viega 05]\] Section 5.2.18, "Null-pointer dereference"

...