Attempting to dereference a null pointer results in undefined behavior, typically abnormal program termination.
Non-Compliant Code Example
In this example, input_str
is copied into dynamically allocated memory referenced by str
. If malloc()
fails, it returns a null pointer that is assigned to str
. When str
is dereferenced in memcpy()
, the program behaves in an unpredictable manner.
/* ... */ size_t size = strlen(input_str)+1; str = (char*) malloc(size); memcpy(str, input_str, size); /* ... */ free(str);
In accordance with rule MEM35-C. Allocate sufficient memory for an object, the argument supplied to malloc()
is checked to ensure a numeric overflow does not occur. In most cases it is preferable to check that this value does not exceed some maximum allocation that is typically much smaller than SIZE_MAX
.
Compliant Solution
To correct this error, ensure the pointer returned by malloc()
is not null. This also ensures compliance with MEM32-C. Detect and handle memory allocation errors.
/* ... */ size_t size = strlen(input_str)+1; str = (char*) malloc(size); if (str == NULL) { /* Handle Allocation Error */ } memcpy(str, input_str, size); /* ... */ free(str);
Risk Assessment
Dereferencing a null pointer results in undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code [[Jack 07], [van Sprundel 06]]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP34-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
Automated Detection
The LDRA tool suite V 7.6.0 is able to detect violations of this rule.
Fortify SCA Version 5.0 is able to detect violations of this rule.
The tool Compass Rose is able to detect violations of this rule.
The Coverity Prevent CHECKED_RETURN, NULL_RETURNS, and REVERSE_INULL checkers can all find violations of this rule. The CHECKED_RETURN finds instances where a pointer is checked against NULL
and then later dereferenced. The NULL_RETURNS checker identifies functions that can return a null pointer but are not checked. The REVERSE_INULL identifies code that dereferences a pointer and then checks the pointer against NULL
. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 6.3.2.3, "Pointers"
[[ISO/IEC PDTR 24772]] "HFC Pointer casting and pointer type changes" and "XYH Null Pointer Dereference"
[[Jack 07]]
[[MITRE 07]] CWE ID 476, "NULL Pointer Dereference"
[[van Sprundel 06]]
[[Viega 05]] Section 5.2.18, "Null-pointer dereference"
EXP33-C. Do not reference uninitialized variables 03. Expressions (EXP) EXP35-C. Do not access or modify the result of a function call after a subsequent sequence point