CWE-476 空指针解引用

NULL Pointer Dereference

结构: Simple

Abstraction: Base

状态: Stable

被利用可能性: Medium

基本描述

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

扩展描述

NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 710 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 754 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 754 cwe_View_ID: 1003 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C#', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Availability DoS: Crash, Exit, or Restart NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.
['Integrity', 'Confidentiality', 'Availability'] Execute Unauthorized Code or Commands In very rare circumstances and environments, code execution is possible.

检测方法

DM-2 Automated Dynamic Analysis

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

DM-12 Manual Dynamic Analysis

Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.

可能的缓解方案

Implementation

策略:

If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented.

Requirements

策略:

The choice could be made to use a language that is not susceptible to these issues.

Implementation

策略:

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Architecture and Design

策略:

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Implementation

策略:

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Testing

策略:

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

示例代码

While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.

good

if (pointer1 != NULL) {

/ make use of pointer1 /

/ ... /
}

If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

bad C

void host_lookup(char user_supplied_addr){
struct hostent hp;
in_addr_t addr;
char hostname[64];
in_addr_t inet_addr(const char cp);

/routine that ensures user_supplied_addr is in the right format for conversion /

validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);
}

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference would then occur in the call to strcpy().

Note that this example is also vulnerable to a buffer overflow (see CWE-119).

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.

bad Java

String cmd = System.getProperty("cmd");
cmd = cmd.trim();

This application has registered to handle a URL when sent an intent:

bad Java


...
IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");
MyReceiver receiver = new MyReceiver();
registerReceiver(receiver, filter);
...

public class UrlHandlerReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
if("com.example.URLHandler.openURL".equals(intent.getAction())) {
String URL = intent.getStringExtra("URLToOpen");
int length = URL.length();

...
}
}
}

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

分析过的案例

标识 说明 链接
CVE-2005-3274 race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274
CVE-2002-1912 large number of packets leads to NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1912
CVE-2005-0772 packet with invalid error status value triggers NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0772
CVE-2009-4895 chain: race condition for an argument value, possibly resulting in NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4895
CVE-2009-3547 chain: race condition might allow resource to be released before operating on it, leading to NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547
CVE-2009-3620 chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620
CVE-2009-2698 chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698
CVE-2009-2692 chain: uninitialized function pointers can be dereferenced allowing code execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
CVE-2009-0949 chain: improper initialization of memory can lead to NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0949
CVE-2008-3597 chain: game server can access player data structures before initialization has happened leading to NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3597
CVE-2008-5183 chain: unchecked return value can lead to NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183
CVE-2004-0079 SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0079
CVE-2004-0365 Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0365
CVE-2003-1013 Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1013
CVE-2003-1000 Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1000
CVE-2004-0389 Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0389
CVE-2004-0119 OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0119
CVE-2004-0458 Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0458
CVE-2002-0401 Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0401

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Null Dereference
CLASP Null-pointer dereference
PLOVER Null Dereference (Null Pointer Dereference)
OWASP Top Ten 2004 A9 CWE More Specific Denial of Service
CERT C Secure Coding EXP34-C Exact Do not dereference null pointers
Software Fault Patterns SFP7 Faulty Pointer Use

引用