CWE-690 未检查返回值导致空指针解引用

Unchecked Return Value to NULL Pointer Dereference

结构: Chain

Abstraction: Compound

状态: Draft

被利用可能性: unkown

基本描述

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

扩展描述

While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.

相关缺陷

  • cwe_Nature: StartsWith cwe_CWE_ID: 252 cwe_View_ID: 709 cwe_Chain_ID: 690

  • cwe_Nature: ChildOf cwe_CWE_ID: 476 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Availability DoS: Crash, Exit, or Restart

检测方法

Black Box

This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.

White Box

Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.

示例代码

The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

bad Java

String username = getUserName();
if (username.equals(ADMIN_USER)) {
...
}

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

bad C

void host_lookup(char user_supplied_addr){
struct hostent hp;
in_addr_t addr;
char hostname[64];
in_addr_t inet_addr(const char cp);

/routine that ensures user_supplied_addr is in the right format for conversion /

validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);
}

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

Note that this example is also vulnerable to a buffer overflow (see CWE-119).

分析过的案例

标识 说明 链接
CVE-2008-1052 Large Content-Length value leads to NULL pointer dereference when malloc fails. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1052
CVE-2006-6227 Large message length field leads to NULL pointer dereference when malloc fails. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6227
CVE-2006-2555 Parsing routine encounters NULL dereference when input is missing a colon separator. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2555
CVE-2003-1054 URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1054
CVE-2008-5183 chain: unchecked return value can lead to NULL dereference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CERT C Secure Coding EXP34-C CWE More Specific Do not dereference null pointers
The CERT Oracle Secure Coding Standard for Java (2011) ERR08-J Do not catch NullPointerException or any of its ancestors
SEI CERT Perl Coding Standard EXP32-PL CWE More Specific Do not ignore function return values