SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 143

changes.mady.by.user Amy Gale

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

On many platforms, dereferencing a null pointer results in abnormal program termination, but this is not required by the standard. See "Clever Attack Exploits Fully-Patched Linux Kernel" [Goodin 2009] for an example of a code execution exploit that resulted from a null pointer dereference.

...

This compliant solution ensures that the pointer returned by png_malloc() is not null. It also uses the unsigned type size_t to pass the length parameter, ensuring that negative values are not passed to func().

This solution also ensures that the user_data pointer is not null. Passing a null pointer to memcpy() would produce undefined behavior, even if the number of bytes to copy were 0.  The user_data pointer could be invalid in other ways, such as pointing to freed memory. However there is no portable way to verify that the pointer is valid, other than checking for null.

Code Block
bgColor#ccccff
langc
#include <png.h> /* From libpng */
#include <string.h>

 void func(png_structp png_ptr, size_t length, const void *user_data) { 
  png_charp chunkdata;
  if (length == SIZE_MAX) {
    /* Handle error */
  }
  if (NULL == user_data) {
    /* Handle error */
  }
  chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  if (NULL == chunkdata) {
    /* Handle error */
  }
  /* ... */
  memcpy(chunkdata, user_data, length);
  /* ... */

 }

...

This compliant solution ensures that both input_str and the pointer returned by malloc() are not null.: 

Code Block
bgColor#ccccff
langc
#include <string.h>
#include <stdlib.h>
 
void f(const char *input_str) {
  size_t size;
  char *c_str;
 
  if (NULL == input_str) {
    /* Handle error */
  }
  
  size = strlen(input_str) + 1;
  c_str = (char *)malloc(size);
  if (NULL == c_str) {
    /* Handle error */
  }
  memcpy(c_str, input_str, size);
  /* ... */
  free(c_str);
  c_str = NULL;
  /* ... */
}

...

The sk pointer is initialized to tun->sk before checking if tun is a null pointer. Because null pointer dereferencing is undefined behavior, the compiler (GCC in this case) can optimize away the if (!tun) check because it is performed after tun->sk is accessed, implying that tun is non-null. As a result, this noncompliant code example is vulnerable to a null pointer dereference exploit, because null pointer dereferencing can be permitted on several platforms, for example, by using mmap(2) with the MAP_FIXED flag on Linux and Mac OS X, or by using the shmat() POSIX function with the SHM_RND flag [Liu 2009].

...

This compliant solution eliminates the null pointer deference by initializing sk to tun->sk following the null pointer check:. It also adds assertions to document that certain other pointers must not be null.

Code Block
bgColor#ccccff
langc
static unsigned int tun_chr_poll(struct file *file, poll_table *wait)  {
  assert(file);
  struct tun_file *tfile = file->private_data;
  struct tun_struct *tun = __tun_get(tfile);
  struct sock *sk;
  unsigned int mask = 0;

  if (!tun)
    return POLLERR;
  assert(tun->dev);
  sk = tun->sk;
  assert(sk);
  assert(sk->socket);
  /* The remaining code is omitted because it is unchanged... */

}

Risk Assessment

Dereferencing a null pointer is undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code [Jack 2007][van Sprundel 2006]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP34-C

High

Likely

Medium

P18

L1

Automated Detection

ToolVersionCheckerDescription
Astrée
Include Page
Astrée_V
Astrée_V
null-dereferencingFully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP34
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.NPD
LANG.STRUCT.NTAD
LANG.STRUCT.UPD

Null

Pointer Dereference

pointer dereference
Null

Test After Dereference

test after dereference
Unchecked

Parameter Dereference

parameter dereference

Compass/ROSE
 
 


Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by malloc(), calloc(), or realloc() is first checked for NULL before being used (otherwise, it is free()-ed). ROSE does not handle cases where an allocation is assigned to an lvalue that is not a variable (such as a struct member or C++ function call returning a reference)

Coverity

 


Include Page
Coverity_V
Coverity_V

CHECKED_RETURN

NULL_RETURNS

REVERSE_INULL

FORWARD_NULL

Finds instances where a pointer is checked against NULL and then later dereferenced

Identifies functions that can return a null pointer but are not checked

Identifies code that dereferences a pointer and then checks the pointer against NULL

Can find the instances where NULL is explicitly dereferenced or a pointer is checked against NULL but then dereferenced anyway. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary

Cppcheck
Include Page
Cppcheck_V
Cppcheck_V
nullPointer, nullPointerDefaultArg, nullPointerRedundantCheck

Context sensitive analysis

Detects when NULL is dereferenced (Array of pointers is not checked. Pointer members in structs are not checked.)

Finds instances where a pointer is checked against NULL and then later dereferenced

Identifies code that dereferences a pointer and then checks the pointer against NULL

Does not guess that return values from malloc(), strchr(), etc., can be NULL (The return value from malloc() is NULL only if there is OOMo and the dev might not care to handle that. The return value from strchr() is often NULL, but the dev might know that a specific strchr() function call will not return NULL.)

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF2810, DF2811, DF2812, DF2813

Fully implemented

Fortify SCA

5.0

  
Klocwork
Include Page
Klocwork_V
Klocwork_V

NPD.CHECK.CALL.MIGHT
NPD.CHECK.CALL.MUST
NPD.CHECK.MIGHT
NPD.CHECK.MUST
NPD.CONST.CALL
NPD

.* *RNPD.*

.CONST.DEREF
NPD.FUNC.CALL.MIGHT
NPD.FUNC.CALL.MUST
NPD.FUNC.MIGHT
NPD.FUNC.MUST
NPD.GEN.CALL.MIGHT
NPD.GEN.CALL.MUST
NPD.GEN.MIGHT
NPD.GEN.MUST
RNPD.CALL
RNPD.DEREF

Fully implemented
 
LDRA tool suite
Include Page
LDRA_V
LDRA_V

45 D, 123 D, 128 D, 129 D, 130 D, 131 D, 652 S

Fully implemented
PRQA QA-C Include PagePRQA_VPRQA_V

0504  
0505  
0506  

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP34-a

Avoid null pointer dereferencing

Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

413, 418, 444, 613, 668

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP34-C


Checks for use of null pointers (rule partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V522, V595, V664, V713, V1004
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S2259
Fully implemented

Splint
Include Page
Splint_V
Splint_V
 


TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

mem_accessExhaustively verified (see one compliant and one non-compliant example).
 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding Standardvoid MEM32-C. Detect and handle memory allocation errors CERT C++ Secure Coding StandardEXP34-CPP. Ensure a null pointer is not dereferenced

CERT Oracle Secure Coding Standard for JavaEXP01-J.
Never dereference null pointers
Do not use a null in a case where an object is requiredPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Pointer Casting and Pointer Type
Changes 
Changes [HFC]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Null Pointer Dereference [XYH]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Dereferencing an out-of-domain pointer [nullref]
MITRE CWE
Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-476, NULL Pointer Dereference
2017-07-06: CERT: Exact

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-690 and EXP34-C

EXP34-C = Union( CWE-690, list) where list =


  • Dereferencing null pointers that were not returned by a function


CWE-252 and EXP34-C

Intersection( CWE-252, EXP34-C) = Ø

EXP34-C is a common consequence of ignoring function return values, but it is a distinct error, and can occur in other scenarios too.

Bibliography Bibliography

[Goodin 2009]
 

[Jack 2007]
 

[Liu 2009]
 

[van Sprundel 2006]
 

[Viega 2005]Section 5.2.18, "Null-Pointer Dereference"

...


...

Image Modified Image Modified Image Modified