...
| Code Block | ||
|---|---|---|
| ||
size_t size = strlen(input_str)+1;
str = (char *)malloc(size);
memcpy(str, input_str, size);
/* ... */
free(str);
str = NULL;
|
Compliant Solution
To correct this error, ensure the pointer returned by malloc() is not null. This also ensures compliance with MEM32-C. Detect and handle memory allocation errors.
| Code Block | ||
|---|---|---|
| ||
size_t size = strlen(input_str)+1;
str = (char *)malloc(size);
if (str == NULL) {
/* Handle Allocation Error */
}
memcpy(str, input_str, size);
/* ... */
free(str);
str = NULL;
|
Noncompliant Code Example
...
| Code Block | ||
|---|---|---|
| ||
static unsigned int tun_chr_poll(struct file *file, poll_table * wait) {
struct tun_file *tfile = file->private_data;
struct tun_struct *tun = __tun_get(tfile);
struct sock *sk = tun->sk;
unsigned int mask = 0;
if (!tun)
return POLLERR;
DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
poll_wait(file, &tun->socket.wait, wait);
if (!skb_queue_empty(&tun->readq))
mask |= POLLIN | POLLRDNORM;
if (sock_writeable(sk) ||
(!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
sock_writeable(sk)))
mask |= POLLOUT | POLLWRNORM;
if (tun->dev->reg_state != NETREG_REGISTERED)
mask = POLLERR;
tun_put(tun);
return mask;
}
|
The vulnerability occurs because sk is initialized to tun->sk before checking if tun is equal to NULL. Of course, this should be done first because the GCC compiler (in this case) optimize it and completely remove the if (!tun) check because it is performed after the assignment. As a result, the above vulnerability can result in a null pointer dereference exploit.
...
| Code Block | ||
|---|---|---|
| ||
static unsigned int tun_chr_poll(struct file *file, poll_table * wait) {
struct tun_file *tfile = file->private_data;
struct tun_struct *tun = __tun_get(tfile);
struct sock *sk;
unsigned int mask = 0;
if (!tun)
return POLLERR;
sk = tun->sk;
DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
poll_wait(file, &tun->socket.wait, wait);
if (!skb_queue_empty(&tun->readq))
mask |= POLLIN | POLLRDNORM;
if (sock_writeable(sk) ||
(!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
sock_writeable(sk)))
mask |= POLLOUT | POLLWRNORM;
if (tun->dev->reg_state != NETREG_REGISTERED)
mask = POLLERR;
tun_put(tun);
return mask;
}
|
Risk Assessment
| Wiki Markup |
|---|
Dereferencing a null pointer results in undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code \[[Jack 07|AA. References#Jack 07], [van Sprundel 06|AA. References#van Sprundel 06]\]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low. |
...
The Coverity Prevent CHECKED_RETURN, NULL_RETURNS, and REVERSE_INULL checkers can all find violations of this rule. The CHECKED_RETURN finds instances where a pointer is checked against NULL and then later dereferenced. The NULL_RETURNS checker identifies functions that can return a null pointer but are not checked. The REVERSE_INULL identifies code that dereferences a pointer and then checks the pointer against NULL. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.
Klocwork Version 8.0.4.16 can detect violations of this rule with the NPD.CHECK.CALL.MIGHT, NPD.CHECK.CALL.MUST, NPD.CHECK.MIGHT, NPD.CHECK.MUST, NPD.CONST.CALL, NPD.CONST.DEREF, NPD.FUNC.CALL.MIGHT, NPD.FUNC.CALL.MUST, NPD.FUNC.MIGHT, NPD.FUNC.MUST, NPD.GEN.CALL.MIGHT, NPD.GEN.CALL.MUST, NPD.GEN.MIGHT, NPD.GEN.MUST, RNPD.CALL and RNPD.DEREF checkers.* and RNPD.* checkers. See Klocwork Cross Reference
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...