CWE-562 返回栈上的变量地址
Return of Stack Variable Address
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
扩展描述
Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 758 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 758 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 672 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 825 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | DoS: Crash, Exit, or Restart |
可能的缓解方案
Testing
策略:
Use static analysis tools to spot return of the address of a stack variable.
示例代码
例
The following function returns a stack address.
bad C
fillInName(name);
return name;
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CERT C Secure Coding | DCL30-C | CWE More Specific | Declare objects with appropriate storage durations |
| CERT C Secure Coding | POS34-C | Do not call putenv() with a pointer to an automatic variable as the argument | |
| Software Fault Patterns | SFP1 | Glitch in computation |