Page History

Wiki MarkupMany functions accept pointers as arguments. If the function dereferences an invalid pointer (see [as in EXP34-C. Ensure a null pointer is not dereferenced]), or reads or writes to a pointer that does not refer to an object, the results are [undefined|BB. Definitions#undefined]. Typically the program will terminate abnormally when the invalid pointer is dereferenced, but it is possible, and quite common, for an invalid pointer to be dereferenced, and its memory changed, without abnormal termination \[[Jack 07|AA. C References#Jack 07]\]. Such programs can be very difficult to debug due to the difficulty of determining the pointer's lack of validity.Do not dereference null pointers) or reads or writes to a pointer that does not refer to an object, the results are undefined. Typically, the program will terminate abnormally when an invalid pointer is dereferenced, but it is possible for an invalid pointer to be dereferenced and its memory changed without abnormal termination [Jack 2007]. Such programs can be difficult to debug because of the difficulty in determining if a pointer is valid.

One way to eliminate invalid pointers is to define a function that accepts a pointer argument and indicates whether or not the pointer is valid One source of prevention of invalid pointers would be a function that could take a pointer and indicate if the pointer is 'valid' or not, for some definition of valid. For instance, here is a function that example, the following function declares any pointer to be valid except NULL.:

int invalidvalid(void * ptr) {
  return (ptr =!= NULL);
}

Some platforms have platform-specific pointer validation tools.

The following code relies on the _etext address, which is provided by defined by the loader as the first address following the program text on many platforms, including AIX, Linux, QNX, IRIX, and Solaris. It is not POSIX-compliant, nor is it available on Windows.

#include <stdio.h>
#include <stdlib.h>

int invalidvalid(void * p) {
  extern char _etext;
  return (p =!= NULL) ||&& ((char*) p <> &_etext);
}


int global;

int main(void) {
  int local;

  void *p = &local;
  int* q = (int*) malloc(sizeof(intprintf("pointer to local var valid? %d\n", valid(&local));
  printf("pointer to localstatic var invalidvalid? %d\n", invalidvalid(p&global));
  p = &global;
  printf("pointer to staticfunction var invalidvalid? %d\n", invalid(pvalid((void *)main));

  int *p = (voidint *) main;
  printf("pointer to function invalid? %d\n", invalid(pmalloc(sizeof(int));

  printf("pointer to heap invalidvalid? %d\n", invalidvalid(qp));
  q++;
  printf("pointer to end of allocated heap invalidvalid? %d\n", invalidvalid(q++p));
  qfree(--;
  free(qp);
  printf("pointer to freed heap invalidvalid? %d\n", invalidvalid(qp));
  q = NULL;
  printf("null pointer invalidvalid? %d\n", invalidvalid(qNULL));

  return 0;
}

On a Linux platform, this program produces the following output:

pointer to local var invalidvalid? 01
pointer to static var invalidvalid? 01
pointer to function invalidvalid? 10
pointer to heap invalidvalid? 01
pointer to end of allocated heap invalidvalid? 01
pointer to freed heap invalidvalid? 01
null pointer invalidvalid? 10

As you can see, the invalidThe valid() function is does not perfectguarantee validity; it only identifies null pointers and pointers to functions as invalid.

Non-Compliant Code Example

However, it can be used to catch a substantial number of problems that might otherwise go undetected.

Noncompliant Code Example

In this noncompliant code example, the incr() This function increments the value pointed to referenced by its argument. It also ensures that its argument is not a null pointer. But the pointer could still be invalid, causing the function to corrupt memory , or possibly terminate abnormally.

void incr(int *intptr) {
  if (intptr == NULL) {
    /* handleHandle error */
  }
  (*intptr)++;
}

Compliant Solution

By This incr() function can be improved by using the invalidvalid() function defined above, the function . The resulting implementation is less likely to dereference an invalid pointer or write to modify memory that is outside its the bounds of a valid object.

void incr(int *intptr) {
  if (invalid!valid( intptr)) {
    /* handleHandle error */
  }
  (*intptr)++;
}

...

The valid(

...

Since invalid pointers are often indicative of a bug in the program, one can use the assert() macro to terminate immediately if an invalid pointer is discovered (see MSC11-A. Incorporate diagnostic tests using assertions).

#include <assert.h>

void incr(int *intptr) {
  assert(!invalid( intptr));
  *intptr++;
}

) function can be implementation dependent and perform additional, platform-dependent checks when possible. In the worst case, the valid() function may only perform the same null-pointer check as the noncompliant code example. However, on platforms where additional pointer validation is possible, the use of a valid() function can provide checks.

Risk Assessment

A pointer validation library function can be used to identify detect and so prevent the execution of vulnerable code.

Failure to clear memory can result in leaked information. Occasionally, it can also lead to buffer overflows if the program falsely assumes that a null-termination byte is present.

prevent operations from being performed on some invalid pointers.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.3.2.3, "Pointers"
\[[Jack 07|AA. C References#Jack 07]\]
\[[van Sprundel 06|AA. C References#van Sprundel 06]\]

Related Guidelines

Bibliography

...

Image Added Image Added MEM09-A. Do not assume memory allocation routines initialize memory      08. Memory Management (MEM)       Image Modified