...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <png.h> /* From libpng */ #include <string.h> void func(png_structp png_ptr, size_t length, const void *user_data) { png_charp chunkdata; if (length == SIZE_MAX) { /* Handle error */ } if (NULL == user_data) { /* Handle error */ } chunkdata = (png_charp)png_malloc(png_ptr, length + 1); if (NULL == chunkdata) { /* Handle error */ } /* ... */ if (NULL ==memcpy(chunkdata, user_data) { /* Handle error */ } /* ... */ memcpy(chunkdata, user_data, length, length); /* ... */ } |
Noncompliant Code Example
...
This compliant solution eliminates the null pointer deference by initializing sk
to tun->sk
following the null pointer check:. It also adds assertions to document that certain other pointers must not be null.
Code Block | ||||
---|---|---|---|---|
| ||||
Code Block | ||||
| ||||
static unsigned int tun_chr_poll(struct file *file, poll_table *wait) { assert(file); struct tun_file *tfile = file->private_data; struct tun_struct *tun = __tun_get(tfile); struct sock *sk; unsigned int mask = 0; if (!tun) return POLLERR; assert(tun->dev); sk = tun->sk; assert(sk); assert(sk->socket); /* The remaining code is omitted because it is unchanged... */ } |
Risk Assessment
Dereferencing a null pointer is undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code [Jack 2007, van Sprundel 2006]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP34-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| null-dereferencing | Fully checked |
Axivion Bauhaus Suite |
|
| CertC-EXP34 | ||||||||
CodeSonar |
| LANG.MEM.NPD | Null pointer dereference | ||||||
Compass/ROSE | Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by | ||||||||
| CHECKED_RETURN NULL_RETURNS REVERSE_INULL FORWARD_NULL | Finds instances where a pointer is checked against Identifies functions that can return a null pointer but are not checked Identifies code that dereferences a pointer and then checks the pointer against Can find the instances where | |||||||
Cppcheck |
| nullPointer, nullPointerDefaultArg, nullPointerRedundantCheck | Context sensitive analysis Detects when NULL is dereferenced (Array of pointers is not checked. Pointer members in structs are not checked.) Finds instances where a pointer is checked against Identifies code that dereferences a pointer and then checks the pointer against Does not guess that return values from | ||||||
Helix QAC |
| DF2810, DF2811, DF2812, DF2813 | Fully implemented | ||||||
Klocwork |
| NPD.CHECK.CALL.MIGHT | Fully implemented | ||||||
LDRA tool suite |
| 45 D, 123 D, 128 D, 129 D, 130 D, 131 D, 652 S | Fully implemented | ||||||
Parasoft C/C++test |
|
CERT_C- |
EXP34- |
a | Avoid null pointer dereferencing |
Parasoft Insure++ | Runtime analysis |
Null pointer,
Use of tainted pointer
Arithmetic operation performed on NULL
pointer
NULL
pointer dereferenced
Pointer from an unsecure source may be NULL or point to unknown memory
PC-lint Plus |
| 413, 418, 444, 613, 668 | Partially supported | ||||||
Polyspace Bug Finder |
| Checks for use of null pointers (rule partially covered) |
2810, 2811, 2812, 2813, 2814, 2820, 2821, 2822, 2823, 2824
PVS-Studio |
| V522, V595, V664, V713, V1004 | |||||||
SonarQube C/C++ Plugin |
| S2259 | |||||||
Splint |
| ||||||||
TrustInSoft Analyzer |
| mem_access | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
EXP34-C is a common consequence of ignoring function return values, but it is a distinct error, and can occur in other scenarios too.
BibliographyBibliography
[Goodin 2009] | |
[Jack 2007] | |
[Liu 2009] | |
[van Sprundel 2006] | |
[Viega 2005] | Section 5.2.18, "Null-Pointer Dereference" |
...