...
This compliant solution ensures that the pointer returned by png_malloc()
is not null. It also uses the unsigned type size_t
to pass the length
parameter, ensuring that negative values are not passed to func()
.
This solution also ensures that the user_data
pointer is not null. Passing a null pointer to memcpy() would produce undefined behavior, even if the number of bytes to copy were 0. The user_data
pointer could be invalid in other ways, such as pointing to freed memory. However there is no portable way to verify that the pointer is valid, other than checking for null.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <png.h> /* From libpng */ #include <string.h> void func(png_structp png_ptr, size_t length, const void *user_data) { png_charp chunkdata; if (lengthlength == SIZE_MAX) { /* Handle error */ } if (NULL == SIZEuser_MAXdata) { /* Handle error */ } chunkdata = (png_charp)png_malloc(png_ptr, length + 1); if (NULL == chunkdata) { /* Handle error */ } /* ... */ memcpy(chunkdata, user_data, length); /* ... */ } |
...
This compliant solution eliminates the null pointer deference by initializing sk
to tun->sk
following the null pointer check:. It also adds assertions to document that certain other pointers must not be null.
Code Block | ||||
---|---|---|---|---|
| ||||
static unsigned int tun_chr_poll(struct file *file, poll_table *wait) { assert(file); struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); struct sock *sk; unsigned int mask = 0; if (!tun) return POLLERR; assert(tun->dev); sk = tun->sk; tun->sk; assert(sk); assert(sk->socket); /* The remaining code is omitted because it is unchanged... */ } |
Risk Assessment
Dereferencing a null pointer is undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code [Jack 2007, van Sprundel 2006]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP34-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| null-dereferencing | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC-EXP34 | |||||||
CodeSonar |
| LANG.MEM.NPD | Null pointer dereference | ||||||
Compass/ROSE | Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by | ||||||||
| CHECKED_RETURN NULL_RETURNS REVERSE_INULL FORWARD_NULL | Finds instances where a pointer is checked against Identifies functions that can return a null pointer but are not checked Identifies code that dereferences a pointer and then checks the pointer against Can find the instances where | |||||||
Cppcheck |
| nullPointer, nullPointerDefaultArg, nullPointerRedundantCheck | Context sensitive analysis Detects when NULL is dereferenced (Array of pointers is not checked. Pointer members in structs are not checked.) Finds instances where a pointer is checked against Identifies code that dereferences a pointer and then checks the pointer against Does not guess that return values from |
NULL
.)return | |||||||||
Helix QAC |
| DF2810, DF2811, DF2812, DF2813 | Fully implemented | ||||||
Klocwork |
| NPD.CHECK.CALL.MIGHT | Fully implemented | ||||||
LDRA tool suite |
| 45 D, 123 D, 128 D, 129 D, 130 D, 131 D, 652 S | Fully implemented | ||||||
Parasoft C/C++test |
|
CERT_C- |
EXP34- |
a | Avoid null pointer dereferencing |
Parasoft Insure++ | Runtime analysis |
Null pointer,
Use of tainted pointer
Arithmetic operation performed on NULL
pointer
NULL
pointer dereferenced
Pointer from an unsecure source may be NULL or point to unknown memory
PC-lint Plus |
| 413, 418, 444, 613, 668 | Partially supported | ||||||
Polyspace Bug Finder |
| Checks for use of null pointers (rule partially covered) | |||||||
PVS-Studio |
|
2810, 2811, 2812, 2813, 2814, 2820, 2821, 2822, 2823, 2824
V522, V595, V664, V713, V1004 | |||||||||
SonarQube C/C++ Plugin |
| S2259 | |||||||
Splint |
| ||||||||
TrustInSoft Analyzer |
| mem_access | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
EXP34-C is a common consequence of ignoring function return values, but it is a distinct error, and can occur in other scenarios too.
BibliographyBibliography
[Goodin 2009] | |
[Jack 2007] | |
[Liu 2009] | |
[van Sprundel 2006] | |
[Viega 2005] | Section 5.2.18, "Null-Pointer Dereference" |
...