SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 80

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 81

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added Linux kernel NCE/CS pair

Attempting to dereference a null pointer results in undefined behavior, typically abnormal program termination.

Noncompliant Code Example

In this noncompliant code example, input_str is copied into dynamically allocated memory referenced by str. If malloc() fails, it returns a null pointer that is assigned to str. When str is dereferenced in memcpy(), the program behaves in an unpredictable manner.

Code Block
bgColor#FFCCCC
size_t size = strlen(input_str)+1;
str = (char *)malloc(size);
memcpy(str, input_str, size);
/* ... */
free(str);
str = NULL;

Compliant Solution

To correct this error, ensure the pointer returned by malloc() is not null. This also ensures compliance with MEM32-C. Detect and handle memory allocation errors.

Code Block
bgColor#ccccff
size_t size = strlen(input_str)+1;
str = (char *)malloc(size);
if (str == NULL) {
  /* Handle Allocation Error */
}
memcpy(str, input_str, size);
/* ... */
free(str);
str = NULL;

Noncompliant Code Example

This noncompliant code example can be found in drivers/net/tun.c and affects Linux kernel 2.6.30.

Code Block
bgColor#FFCCCC

static unsigned int tun_chr_poll(struct file *file, poll_table * wait)  {  
  struct tun_file *tfile = file->private_data;  
  struct tun_struct *tun = __tun_get(tfile);  
  struct sock *sk = tun->sk;  
  unsigned int mask = 0;  
   
  if (!tun)  
    return POLLERR;  
   
  DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);  
   
  poll_wait(file, &tun->socket.wait, wait);  
   
  if (!skb_queue_empty(&tun->readq))  
    mask |= POLLIN | POLLRDNORM;  
   
  if (sock_writeable(sk) ||  
     (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&  
     sock_writeable(sk)))  
    mask |= POLLOUT | POLLWRNORM;  
   
  if (tun->dev->reg_state != NETREG_REGISTERED)  
    mask = POLLERR;  
   
  tun_put(tun);  
  return mask;  
}

The vulnerability occurs because sk is initialized to tun->sk before checking if tun is NULL. Of course, this should be done first because the GCC compiler (in this case) optimize it and completely remove the if (!tun) check because it is performed after the assignment. As a result, the above vulnerability can result in a null pointer dereference exploit.

Compliant Solution

This compliant solution eliminates the null pointer deference by initializing sk to tun->sk following the null pointer check.

Code Block
bgColor#ccccff

static unsigned int tun_chr_poll(struct file *file, poll_table * wait)  {  
  struct tun_file *tfile = file->private_data;  
  struct tun_struct *tun = __tun_get(tfile);  
  struct sock *sk;  
  unsigned int mask = 0;  
   
  if (!tun)  
    return POLLERR;  
  
  sk = tun->sk; 

  DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);  
   
  poll_wait(file, &tun->socket.wait, wait);  
   
  if (!skb_queue_empty(&tun->readq))  
    mask |= POLLIN | POLLRDNORM;  
   
  if (sock_writeable(sk) ||  
     (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&  
     sock_writeable(sk)))  
    mask |= POLLOUT | POLLWRNORM;  
   
  if (tun->dev->reg_state != NETREG_REGISTERED)  
    mask = POLLERR;  
   
  tun_put(tun);  
  return mask;  
}

Risk Assessment

Wiki Markup
Dereferencing a null pointer results in undefined behavior, typically abnormal program termination.  In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code \[[Jack 07|AA. C References#Jack 07], [van Sprundel 06|AA. C References#van Sprundel 06]\].  The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP34-C

high

likely

medium

P18

L1

Automated Detection

The LDRA tool suite Version 7.6.0 can detect violations of this rule.

...

Klocwork Version 8.0.4.16 can detect violations of this rule with the NPD.CHECK.CALL.MIGHT, NPD.CHECK.CALL.MUST, NPD.CHECK.MIGHT, NPD.CHECK.MUST, NPD.CONST.CALL, NPD.CONST.DEREF, NPD.FUNC.CALL.MIGHT, NPD.FUNC.CALL.MUST, NPD.FUNC.MIGHT, NPD.FUNC.MUST, NPD.GEN.CALL.MIGHT, NPD.GEN.CALL.MUST, NPD.GEN.MIGHT, NPD.GEN.MUST, RNPD.CALL and RNPD.DEREF checkers.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C++ Secure Coding Standard as EXP34-CPP. Ensure a null pointer is not dereferenced.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.3.2.3, "Pointers"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "HFC Pointer casting and pointer type changes" and "XYH Null Pointer Dereference"
\[[Jack 07|AA. C References#Jack 07]\]
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 476|http://cwe.mitre.org/data/definitions/476.html], "NULL Pointer Dereference"
\[[van Sprundel 06|AA. C References#van Sprundel 06]\]
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.18, "Null-pointer dereference"

...