...
In this example, input_str is copied into dynamically allocated memory referenced by str. If malloc() fails, it returns a NULL pointer that is assigned to str. When str is dereferenced in strcpy(), the program behaves in an unpredictable manner.
| Code Block |
|---|
|
/* ... */
size_t size = strlen(input_str);
if (size == SIZE_MAX) { /* test for limit of size_t */
/* Handle Error */
}
str = malloc(size+1);
strcpy(str, input_str);
/* ... */
|
| Wiki Markup |
|---|
Note that in accordance with rule \[[MEM35-C|MEM35-C. Ensure that size arguments to memory allocation functions are correct]] the argument supplied to {{malloc()}} is checked to ensure a numeric overflow does not occur. |
...
| Wiki Markup |
|---|
To correct this error, ensure the pointer returned by {{malloc()}} is not NULL. In addition to this rule, this should be done in accordance with rule \[[MEM32-C|MEM32-C. Detect and handle critical memory allocation errors]\]. |
| Code Block |
|---|
|
/* ... */
size_t size = strlen(input_str);
if (size == SIZE_MAX) { /* test for limit of size_t */
/* Handle Error */
}
str = malloc(size+1);
if (str == NULL) {
/* Handle Allocation Error */
}
strcpy(str, input_str);
/* ... */
|
Risk Assessment
Dereferencing an invalid pointer results in undefined behavior, typically abnormal program termination.
...
Examples of vulnerabilities resulting from the violation of this rule can be found on the CERTwebsite CERT website.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] 6.3.2.3 Pointers
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.18 Null-pointer dereference |
