Unchecked Return Value to NULL Pointer Dereference

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

  • Source

    CWE Catalog - 4.12

  • Identifier

    CWE-690

  • Status

    Draft

Contents

Description

While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

String username = getUserName();
if (username.equals(ADMIN_USER)) {
  ...
}

Example Two

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

void host_lookup(char *user_supplied_addr){

  struct hostent *hp;
  in_addr_t *addr;
  char hostname[64];
  in_addr_t inet_addr(const char *cp);

  /*routine that ensures user_supplied_addr is in the right format for conversion */

  validate_addr_form(user_supplied_addr);
  addr = inet_addr(user_supplied_addr);
  hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
  strcpy(hostname, hp->h_name);

}

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

Note that this code is also vulnerable to a buffer overflow (CWE-119).

See Also

Comprehensive Categorization: Memory Safety

Weaknesses in this category are related to memory safety.

SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP)

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP)

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Named Chains

This view displays Named Chains and their components.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.