logo

Unchecked Return Value to NULL Pointer Dereference

Draft Compound
Structure: Chain
Description

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

Extended Description

While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.
Common Consequences 2
Scope: Availability

Impact: DoS: Crash, Exit, or Restart

Scope: IntegrityConfidentialityAvailability

Impact: Execute Unauthorized Code or CommandsRead MemoryModify Memory

In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.
Detection Methods 2
Black Box
This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.
White Box
Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.
Demonstrative Examples 2
The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

Code Example:

Bad
Java
java

ID : DX-1

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

Code Example:

Bad
C
c

/*routine that ensures user_supplied_addr is in the right format for conversion /

c
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (Unchecked Return Value), a NULL pointer dereference (NULL Pointer Dereference) would then occur in the call to strcpy().
Note that this code is also vulnerable to a buffer overflow (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Observed Examples 5
CVE-2008-1052Large Content-Length value leads to NULL pointer dereference when malloc fails.
CVE-2006-6227Large message length field leads to NULL pointer dereference when malloc fails.
CVE-2006-2555Parsing routine encounters NULL dereference when input is missing a colon separator.
CVE-2003-1054URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.
CVE-2008-5183chain: unchecked return value can lead to NULL dereference
Applicable Platforms
Languages:
C : UndeterminedC++ : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
StartsWith: Unchecked Return Value (CWE-252)
ChildOf: Unchecked Return Value (CWE-252)
Taxonomy Mapping
  • CERT C Secure Coding
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • SEI CERT Perl Coding Standard