Attempting to dereference an invalid pointer results in undefined behavior, typically abnormal program termination. Given this, pointers should be checked to make sure they are valid before they are dereferenced.
Non-Compliant Code Example
In this example, input_str
is copied into dynamically allocated memory referenced by str
. If malloc()
fails, it returns a NULL pointer that is assigned to str
. When str
is dereferenced in strcpy()
, the program behaves in an unpredictable manner.
/* ... */ size_t size = strlen(input_str); if (size == SIZE_MAX) { /* test for limit of size_t */ /* Handle Error */ } str = malloc(size+1); strcpy(str, input_str); /* ... */
Note that in accordance with rule [[MEM35-C]] the argument supplied to malloc()
is checked to ensure a numeric overflow does not occur.
Compliant Solution
To correct this error, ensure the pointer returned by malloc()
is not NULL. In addition to this rule, this should be done in accordance with rule [[MEM32-C]].
/* ... */ size_t size = strlen(input_str); if (size == SIZE_MAX) { /* test for limit of size_t */ /* Handle Error */ } str = malloc(size+1); if (str == NULL) { /* Handle Allocation Error */ } strcpy(str, input_str); /* ... */
Risk Assessment
Dereferencing an invalid pointer results in undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code [[van Sprundel 06], [Jack 07]]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code the actual severity is low.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP34-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
Automated Detection
The Coverity Prevent CHECKED_RETURN, NULL_RETURNS, and REVERSE_INULL checkers can all find violations of this rule. The CHECKED_RETURN finds instances where a pointer is checked against NULL
, and then later dereferenced. The NULL_RETURNS checker identifies function that can return a NULL
pointer but are not checked. The REVERSE_INULL identifies code that dereferences a pointer and then checks the pointer against NULL
. Coverity Prevent cannot discover all violations of this rule so further verification is necessary.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 6.3.2.3, "Pointers"
[[Jack 07]]
[[van Sprundel 06]]
[[Viega 05]] Section 5.2.18, "Null-pointer dereference"