Page History

...

To correct this error, ensure the pointer returned by malloc() is not null. This also ensures compliance with guideline MEM32-C. Detect and handle memory allocation errors.

...

Dereferencing a null pointer results in undefined behavior, typically abnormal program termination.  In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code \[[Jack 072007|AA. Bibliography#Jack 07], [van Sprundel 062006|AA. Bibliography#van Sprundel 06]\].  The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.

Automated Detection

The LDRA tool suite Version 7.6.0 can detect violations of this rule.

Fortify SCA Version 5.0 can detect violations of this rule.

Splint Version 3.1.1 can detect violations of this rule.

...

Tool	Version	Checker	Description
Section LDRA tool suite	Include Page c:LDRA_V c:LDRA_V
Section Fortify SCA	Section V. 5.0
Section Splint	Include Page c:Splint_V c:Splint_V
Section Compass/ROSE			Section can detect violations of this rule. In particular, Rose ensures that any pointer returned by malloc(), calloc(), or realloc() is first checked for NULL before being used (otherwise it is free()-d). Rose does not handle cases where an allocation is assigned to an lvalue that is not a variable (such as a struct member or C++ function call returning a reference.)

...

Section Coverity Prevent

...

	Include Page c:Coverity_V c:Coverity_V	Section CHECKED_RETURN	Section finds instances where a pointer is checked against NULL and then later dereferenced.
Section Coverity Prevent	Include Page c:Coverity_V c:Coverity_V	Section NULL_RETURNS	Section The NULL_RETURNS checker identifies functions that can return a null pointer but are not checked.
Section Coverity Prevent	Include Page c:Coverity_V c:Coverity_V	Section REVERSE_INULL	Section The REVERSE_INULL identifies code that dereferences a pointer and then checks the pointer against NULL.
Section Coverity Prevent	Include Page c:Coverity_V c:Coverity_V	Section FORWARD_NULL	Section The FORWARD_NULL checker can find the instances where NULL is explicitly dereferenced or a pointer is checked against null but then dereferenced anyway.
Section Klocwork	Include Page c:Klocwork_V c:Klocwork_V	Section NPD.* *RNPD.*

Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Klocwork can detect violations of this rule with the NPD.* and RNPD.* checkers. See Klocwork Cross Reference

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as : EXP34-CPP. Ensure a null pointer is not dereferenced.

...

\[[Goodin 2009|AA. Bibliography#Goodin 2009]\]
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.3.2.3, "Pointers"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "HFC Pointer casting and pointer type changes" and "XYH Null Pointer Dereference"
\[[Jack 072007|AA. Bibliography#Jack 07]\]
\[[Liu 2009|AA. Bibliography#Liu 2009]\]
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 476|http://cwe.mitre.org/data/definitions/476.html], "NULL Pointer Dereference"
\[[van Sprundel 062006|AA. Bibliography#van Sprundel 06]\]
\[[Viega 052005|AA. Bibliography#Viega 05]\] Section 5.2.18, "Null-pointer dereference"

...