SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 107

changes.mady.by.user Pranjal Jumde

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attempting to dereference Dereferencing a null pointer results in is undefined behavior, typically abnormal program termination.

On many platforms, dereferencing a null pointer results in abnormal program termination, but this is not required by the standard. See "Clever Attack Exploits Fully-Patched Linux Kernel" [Goodin 2009] for an example of a code execution exploit that resulted from a null pointer dereference.

Noncompliant Code Example

This noncompliant code example is derived from a real-world example taken from a vulnerable version of the libpng library as deployed on a popular ARM-based cell phone [Jack 2007]. The libpng . The  libpng library allows applications to read, create, and manipulate PNG (Portable Network Graphics) raster image files. The libpng library implements its own wrapper to malloc() that returns a null pointer on error or on being passed a 0-byte-length argument.

This code also violates ERR33-C. Detect and handle standard library errors.

Code Block
bgColor#FFCCCC
langc
#include <png.h> /* From libpng */
#include <string.h>
 
void func(png_structp png_ptr, int length, const void *user_data) { 
  png_charp chunkdata;
  chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  /* ... */
  memcpy(chunkdata, user_data, length);
  /* ... */
 }

If length has the value −1, the addition yields If a length field of −1 is supplied to the code in this noncompliant example, the addition wraps around to 0, and png_malloc() subsequently returns a null pointer, which is assigned to chunkdata. The chunkdata pointer is later used as a destination argument in a call to memcpy(), resulting in user-defined data overwriting memory starting at address 0. A write from or read to the memory address 0x0 will generally reference invalid or unused memory. In the case of the ARM and XScale architectures, the 0x0 address is mapped in memory and serves as the Exception Vector Tableexception vector table; consequently, dereferencing 0x0 did not cause an abnormal program termination.

Compliant Solution

To correct this error, ensure This compliant solution ensures that the pointer returned by png_malloc() is not null. It also uses the unsigned type size_t to pass the length parameter, ensuring that negative values are not passed to func().

This also ensures compliance with MEM32-C. Detect and handle memory allocation errorssolution also ensures that the user_data pointer is not null. Passing a null pointer to memcpy() would produce undefined behavior, even if the number of bytes to copy were 0.  The user_data pointer could be invalid in other ways, such as pointing to freed memory. However there is no portable way to verify that the pointer is valid, other than checking for null.

Code Block
bgColor#ccccff
langc
#include <png.h> /* From libpng */
#include <string.h>

 void func(png_structp png_ptr, size_t length, const void *user_data) { 
  png_charp chunkdata;
chunkdata
  if (length == SIZE_MAX) {
    /* Handle error */
  }
  if (NULL == user_data) {
    /* Handle error */
  }
  chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  if (chunkdataNULL == NULLchunkdata) {
    /* Handle Allocation Error error */
  }
  /* ... */
  memcpy(chunkdata, user_data, length);
  /* ... */

 }

Noncompliant Code Example

In this noncompliant code example, input_str is copied into dynamically allocated memory referenced by c_str. If malloc() fails, it returns a null pointer that is assigned to c_str. When c_str is dereferenced in memcpy(), the program behaves in an unpredictable mannerexhibits undefined behavior.  Additionally, if input_str is a null pointer, the call to strlen() dereferences a null pointer, also resulting in undefined behavior. This code also violates ERR33-C. Detect and handle standard library errors.

Code Block
bgColor#FFCCCC
langc
#include <string.h>
#include <stdlib.h>
 
void f(const char *input_str) {
  size_t size = strlen(input_str) + 1;
  char *c_str = (char *)malloc(size);
  memcpy(c_str, input_str, size);
  /* ... */
  free(c_str);
  c_str = NULL;
  /* ... */
}

Compliant Solution

To correct this error, ensure the This compliant solution ensures that both input_str and the pointer returned by malloc() is are not null. This also ensures compliance with MEM32-C. Detect and handle memory allocation errors.

Code Block
bgColor#ccccff
langc
#include <string.h>
#include <stdlib.h>
 
void f(const char *input_str) {
  size_t size;
  char *c_str;
 
  if (NULL == input_str) {
    /* Handle error */
  }
  
  size = strlen(input_str) + 1;
  c_str = (char *)malloc(size);
  if (strNULL == NULLc_str) {
    /* Handle Allocation Errorerror */
  }
  memcpy(c_str, input_str, size);
  /* ... */
  free(c_str);
  c_str = NULL;
  /* ... */
}

Noncompliant Code Example

This noncompliant code example can be found in is from a version of drivers/net/tun.c and affects Linux kernel 2.6.30 [Goodin 2009].:

Code Block
bgColor#FFCCCC
langc
static unsigned int tun_chr_poll(struct file *file, poll_table * wait)  {
  struct tun_file *tfile = file->private_data;
  struct tun_struct *tun = __tun_get(tfile);
  struct sock *sk = tun->sk;
  unsigned int mask = 0;

  if (!tun)
    return POLLERR;

  DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);

  poll_wait(file, &tun->socket.wait, wait);

  if (!skb_queue_empty(&tun->readq))
    mask |= POLLIN | POLLRDNORM;

  if (sock_writeable(sk) ||
     (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
     sock_writeable(sk)))
    mask |= POLLOUT | POLLWRNORM;

  if (tun->dev->reg_state != NETREG_REGISTERED)
    mask = POLLERR;

  tun_put(tun);
  return mask;
}

The vulnerability occurs because sk pointer is initialized to tun->sk before checking if tun is equal to NULL. Of course, this should be done first because the GCC compiler (a null pointer. Because null pointer dereferencing is undefined behavior, the compiler (GCC in this case) optimizes it and completely removes can optimize away the if (!tun) check because it is performed after the assignment tun->sk is accessed, implying that tun is non-null. As a result, the above vulnerability can result in this noncompliant code example is vulnerable to a null pointer dereference exploit.Normally, because null pointer dereference results in access violation and abnormal program termination. However, it is possible to permit null pointer dereferencing on several operating systemsdereferencing can be permitted on several platforms, for example, by using mmap(2) with the MAP_FIXED flag on Linux and Mac OS X, or by using the shmat(2) POSIX function with the SHM_RND flag on Linux [Liu 2009].

Compliant Solution

This compliant solution eliminates the null pointer deference by initializing sk to tun->sk following the null pointer check. It also adds assertions to document that certain other pointers must not be null.

Code Block
bgColor#ccccff
langc
static unsigned int tun_chr_poll(struct file *file, poll_table * wait)  {
  assert(file);
  struct tun_file *tfile = file->private_data;
  struct tun_struct *tun = __tun_get(tfile);
  struct sock *sk;
  unsigned int mask = 0;

  if (!tun)
    return POLLERR;

  sk = tun->sk;

  DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);

  poll_wait(file, &tun->socket.wait, wait);

  if (!skb_queue_empty(&tun->readq))
    mask |= POLLIN | POLLRDNORM;

  if (sock_writeable(sk) ||
     (!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
     sock_writeable(sk)))
    mask |= POLLOUT | POLLWRNORM;

  if (tun->dev->reg_state != NETREG_REGISTERED)
    mask = POLLERR;

  tun_put(tun);
  return mask;
assert(tun->dev);
  sk = tun->sk;
  assert(sk);
  assert(sk->socket);
  /* The remaining code is omitted because it is unchanged... */
}

Risk Assessment

Dereferencing a null pointer results in is undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code [Jack 2007, van Sprundel 2006]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP34-C

high

High

likely

Likely

medium

Medium

P18

L1

Automated Detection

ToolVersionCheckerDescription
LDRA tool suite
Astrée
Include Page
LDRA
Astrée_V
LDRA
Astrée_V
45 D
null-dereferencingFully
implemented.

Fortify SCA

V. 5.0

  

Splint

Include PageSplint_VSplint_V 
checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP34
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.NPD
LANG.STRUCT.NTAD
LANG.STRUCT.UPD

Null pointer dereference
Null test after dereference
Unchecked parameter dereference

 

Compass/ROSE
  


Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by malloc(), calloc(), or realloc() is first checked for NULL before being used (otherwise, it is free()-

d

ed). ROSE does not handle cases where an allocation is assigned to an lvalue that is not a variable (such as a struct member or C++ function call returning a reference)

.

Coverity

 


Include Page
Coverity_V
Coverity_V

CHECKED_RETURN

NULL_RETURNS

REVERSE_INULL

FORWARD_NULL

Finds instances where a pointer is checked against NULL and then later dereferenced

.

Coverity

  Include PageCoverity_V 

Coverity_V 

NULL_RETURNS

Identifies functions that can return a null pointer but are not checked

. 

Coverity

  Include PageCoverity_VCoverity_V REVERSE_INULL

 

Identifies code that dereferences a pointer and then checks the pointer against

NULL. 

Coverity

  Include PageCoverity_VCoverity_V FORWARD_

NULL

 

Can find the instances where NULL is explicitly dereferenced or a pointer is checked against NULL but then dereferenced anyway. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary

Cppcheck
Include Page
Cppcheck_V
Cppcheck_V
nullPointer, nullPointerDefaultArg, nullPointerRedundantCheck

Context sensitive analysis

Detects when NULL is dereferenced (Array of pointers is not checked. Pointer members in structs are not checked.)

Finds instances where a pointer is checked against NULL and then later dereferenced

Identifies code that dereferences a pointer and then checks the pointer against NULL

Does not guess that return values from malloc(), strchr(), etc., can be NULL (The return value from malloc() is NULL only if there is OOMo and the dev might not care to handle that. The return value from strchr() is often NULL, but the dev might know that a specific strchr() function call will not return NULL.

)

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF2810, DF2811, DF2812, DF2813

Fully implemented
 
Klocwork
 
Include Page
Klocwork_V
Klocwork_V
 

NPD.* *RNPD.*

 

...

NPD.CHECK.CALL.MIGHT
NPD.CHECK.CALL.MUST
NPD.CHECK.MIGHT
NPD.CHECK.MUST
NPD.CONST.CALL
NPD.CONST.DEREF
NPD.FUNC.CALL.MIGHT
NPD.FUNC.CALL.MUST
NPD.FUNC.MIGHT
NPD.FUNC.MUST
NPD.GEN.CALL.MIGHT
NPD.GEN.CALL.MUST
NPD.GEN.MIGHT
NPD.GEN.MUST
RNPD.CALL
RNPD.DEREF

Fully implemented
LDRA tool suite
Include Page
LDRA_V
LDRA_V

45 D, 123 D, 128 D, 129 D, 130 D, 131 D, 652 S

Fully implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP34-a

Avoid null pointer dereferencing

Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

413, 418, 444, 613, 668

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP34-C


Checks for use of null pointers (rule partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V522, V595, V664, V713, V1004
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S2259
Splint
Include Page
Splint_V
Splint_V


TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

mem_accessExhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: EXP34-CPP. Ensure a null pointer is not dereferenced

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT Oracle Secure Coding Standard for Java

...

EXP01-J.

...

Do not use a null in a case where an object is requiredPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC

...

TR 24772:2013Pointer Casting and Pointer Type Changes [HFC]Prior to 2018-01-12: CERT: Unspecified Relationship

...

ISO/IEC TR

...

24772:2013Null Pointer Dereference [XYH]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Dereferencing an out-of-domain pointer [nullref]

ISO/IEC TR 24772 "HFC Pointer casting and pointer type changes" and "XYH Null pointer dereference"

Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11
CWE-476,

...

NULL Pointer Dereference2017-07-06: CERT: Exact

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-690 and EXP34-C

EXP34-C = Union( CWE-690, list) where list =


  • Dereferencing null pointers that were not returned by a function


CWE-252 and EXP34-C

Intersection( CWE-252, EXP34-C) = Ø

EXP34-C is a common consequence of ignoring function return values, but it is a distinct error, and can occur in other scenarios too.

Bibliography Bibliography

[Goodin 2009]
[Jack 2007]
[Liu 2009]
[van Sprundel 2006]
[Viega 2005]Section 5.2.18, "Null-

...

Pointer Dereference"


...

Image Modified Image Modified Image Modified

...