SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 81

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 82

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Noncompliant Code Example

Wiki Markup
This noncompliant code example can be found in {{drivers/net/tun.c}} and affects Linux kernel 2.6.30 \[Goodin 09\].

Code Block
bgColor#FFCCCC
static unsigned int tun_chr_poll(struct file *file, poll_table * wait)  {  
  struct tun_file *tfile = file->private_data;  
  struct tun_struct *tun = __tun_get(tfile);  
  struct sock *sk = tun->sk;  
  unsigned int mask = 0;  
   
  if (!tun)  
    return POLLERR;  
   
  DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);  
   
  poll_wait(file, &tun->socket.wait, wait);  
   
  if (!skb_queue_empty(&tun->readq))  
    mask |= POLLIN | POLLRDNORM;  
   
  if (sock_writeable(sk) ||  
     (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&  
     sock_writeable(sk)))  
    mask |= POLLOUT | POLLWRNORM;  
   
  if (tun->dev->reg_state != NETREG_REGISTERED)  
    mask = POLLERR;  
   
  tun_put(tun);  
  return mask;  
}

The vulnerability occurs because sk is initialized to tun->sk before checking if tun is NULL. Of course, this should be done first because the GCC compiler (in this case) optimize it and completely remove the if (!tun) check because it is performed after the assignment. As a result, the above vulnerability can result in a null pointer dereference exploit.

Wiki Markup
Normally, null pointer dereference results in access violation and abnormal program termination. However, it is possible to permit null pointer dereferencing on several operating systems, for example, using {{mmap(2)}} with the {{MAP_FIXED}} flag on Linux and Mac OS X or using {{shmat(2)}} with the {{SHM_RND}} flag on Linux \[Liu 09\].

Compliant Solution

This compliant solution eliminates the null pointer deference by initializing sk to tun->sk following the null pointer check.

...

This rule appears in the C++ Secure Coding Standard as EXP34-CPP. Ensure a null pointer is not dereferenced.

References

Wiki Markup
\[[Goodin 2009|AA. C References#Goodin 2009]\]
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.3.2.3, "Pointers"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "HFC Pointer casting and pointer type changes" and "XYH Null Pointer Dereference"
\[[Jack 07|AA. C References#Jack 07]\]
\[[Liu 2009|AA. C References#Liu 2009]\]
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 476|http://cwe.mitre.org/data/definitions/476.html], "NULL Pointer Dereference"
\[[van Sprundel 06|AA. C References#van Sprundel 06]\]
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.18, "Null-pointer dereference"

...