CWE-476: NULL Pointer Dereference

Description

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

Example Vulnerable Codes

Example - 1

While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.


// /* make use of pointer1 */// 
// /* ... */// 
if (pointer1 != NULL) {}

If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.

Example - 2

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.


// /*routine that ensures user_supplied_addr is in the right format for conversion */// 
struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp);validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name);void host_lookup(char *user_supplied_addr){}

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

Note that this code is also vulnerable to a buffer overflow (CWE-119).

Example - 3

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.


String cmd = System.getProperty("cmd");cmd = cmd.trim();

Example - 4

This Android application has registered to handle a URL when sent an intent:


// ...// 
// ...// 


String URL = intent.getStringExtra("URLToOpen");int length = URL.length();
// ...// 
if("com.example.URLHandler.openURL".equals(intent.getAction())) {}@Overridepublic void onReceive(Context context, Intent intent) {}IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter);public class UrlHandlerReceiver extends BroadcastReceiver {}

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Example - 5

Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns.



return nil, err
response, err := client.Do(request)defer response.Body.Close()if err != nil {}...func HandleRequest(client http.Client, request *http.Request) (*http.Response, error) {}

If a user supplies a malformed request or violates the client policy, the Do method can return a nil response and a non-nil err.

This HandleRequest Function evaluates the close before checking the error. A deferred call's arguments are evaluated immediately, so the defer statement panics due to a nil response.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 21, 2024 17:58