NULL Pointer Dereference |
Weakness ID: 476 (Weakness Base) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Availability | NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation. |
Integrity | In very rare circumstances and environments, code execution is possible. |
Example 1
NULL pointer dereference issue can occur through a number of flaws, including race conditions, and simple programming omissions. While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur. Before using a pointer, ensure that it is not equal to NULL:
When freeing pointers, ensure they are not set to NULL, and be sure to set them to NULL once they are freed:
If you are working with a multi-threaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.
Example 2
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference would then occur in the call to strcpy().
Note that this example is also vulnerable to a buffer overflow (see CWE-119).
Example 3
In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.
Reference | Description |
---|---|
CVE-2005-3274 | race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking. |
CVE-2002-1912 | large number of packets leads to NULL dereference |
CVE-2005-0772 | packet with invalid error status value triggers NULL dereference |
CVE-2004-0079 | |
CVE-2004-0365 | |
CVE-2003-1013 | |
CVE-2003-1000 | |
CVE-2004-0389 | |
CVE-2004-0119 | |
CVE-2004-0458 | |
CVE-2002-0401 |
Phase: Implementation If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented. |
Phase: Requirements The choice could be made to use a language that is not susceptible to these issues. |
Phase: Implementation Check the results of all functions that return a value and verify that the value is non-null before acting upon it. Effectiveness: Moderate Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. This solution does not handle the use of improperly initialized variables (CWE-665). |
Phase: Architecture and Design Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values. |
Phase: Implementation Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage. |
Phase: Testing Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. |
Phase: Testing Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. |
Phase: Testing Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. |
Ordinality | Description |
---|---|
Resultant | NULL pointer dereferences are frequently resultant from rarely encountered error conditions, since these are most likely to escape detection during the testing phases. |
Nature | Type | ID | Name | View(s) this relationship pertains to | Named Chain(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Weakness Class | 398 | Indicator of Poor Code Quality | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 Research Concepts (primary)1000 | |
ChildOf | Category | 730 | OWASP Top Ten 2004 Category A9 - Denial of Service | Weaknesses in OWASP Top Ten (2004) (primary)711 | |
ChildOf | Category | 737 | CERT C Secure Coding Section 03 - Expressions (EXP) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 | |
ChildOf | Category | 742 | CERT C Secure Coding Section 08 - Memory Management (MEM) | Weaknesses Addressed by the CERT C Secure Coding Standard734 | |
ChildOf | Category | 808 | 2010 Top 25 - Weaknesses On the Cusp | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 | |
PeerOf | Weakness Base | 373 | State Synchronization Error | Research Concepts1000 | |
MemberOf | View | 630 | Weaknesses Examined by SAMATE | Weaknesses Examined by SAMATE (primary)630 | |
CanFollow | Weakness Base | 252 | Unchecked Return Value | Research Concepts1000 | Unchecked Return Value to NULL Pointer Dereference690 |
CanFollow | Weakness Variant | 789 | Uncontrolled Memory Allocation | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | Null Dereference | ||
CLASP | Null-pointer dereference | ||
PLOVER | Null Dereference (Null Pointer Dereference) | ||
OWASP Top Ten 2004 | A9 | CWE More Specific | Denial of Service |
CERT C Secure Coding | EXP34-C | Ensure a null pointer is not dereferenced | |
CERT C Secure Coding | MEM32-C | Detect and handle memory allocation errors |
A weakness where the code path has: 1. start statement that assigns a null value to the pointer 2. end statement that dereferences a pointer 3. the code path does not contain any other statement that assigns value to the pointer |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-08-01 | KDM Analytics | External | ||
added/updated white box definitions | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Demonstrative Examples, Other Notes, Potential Mitigations, Weakness Ordinalities |