CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.4)  

CWE-476: NULL Pointer Dereference

Individual Definition in a New Window
NULL Pointer Dereference
Status: Draft
Weakness ID: 476 (Weakness Base)
+ Description
Summary

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

+ Time of Introduction
* Implementation
+ Applicable Platforms
Languages
C
C++
Java
.NET
+ Common Consequences
Availability

NULL pointer dereferences usually result in the failure of the process.

In very rare circumstances and environments, code execution is possible.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples
Example 1:

NULL pointer dereference issue can occur through a number of flaws, including race conditions, and simple programming omissions. While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur. Before using a pointer, ensure that it is not equal to NULL:

C Example:
if (pointer1 != NULL) {
/* make use of pointer1 */
/* ... */
}

When freeing pointers, ensure they are not set to NULL, and be sure to set them to NULL once they are freed:

C Example:
if (pointer1 != NULL) {
free(pointer1);
pointer1 = NULL;
}

If you are working with a multi-threaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.

Example 2:

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.

Java Example:
String cmd = System.getProperty("cmd");
cmd = cmd.trim();
+ Observed Examples
ReferenceDescription
 
large number of packets leads to NULL dereference
 
 
 
 
 
 
 
packet with invalid error status value triggers NULL dereference
race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
+ Potential Mitigations

Requirements specification: The choice could be made to use a language that is not susceptible to these issues.

Implementation

If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented.

+ Other Notes

NULL pointer dereferences, while common, can generally be found and corrected in a simply way. They will always result in the crash of the process unless exception handling (on some platforms) is invoked, and even then, little can be done to salvage the process.

NULL pointer dereferences are frequently resultant from rarely encountered error conditions, since these are most likely to escape detection during the testing phases.

+ Weakness Ordinalities
Resultant (where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfWeakness ClassWeakness ClassWeakness Class398Indicator of Poor Code Quality
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ChildOfCategoryCategory730OWASP Top Ten 2004 Category A9 - Denial of Service
Weaknesses in OWASP Top Ten (2004) (primary)711
PeerOfWeakness BaseWeakness BaseWeakness Base373State Synchronization Error
Research Concepts1000
ChildOfCategoryCategory737CERT C Secure Coding Section 03 - Expressions (EXP)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory742CERT C Secure Coding Section 08 - Memory Management (MEM)
Weaknesses Addressed by the CERT C Secure Coding Standard734
MemberOfViewView630Weaknesses Examined by SAMATE
Weaknesses Examined by SAMATE (primary)630
CanFollowWeakness BaseWeakness BaseWeakness Base252Unchecked Return Value
Research Concepts1000
Unchecked Return Value to NULL Pointer Dereference690
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious Kingdoms  Null Dereference
CLASP  Null-pointer dereference
PLOVER  Null Dereference (Null Pointer Dereference)
OWASP Top Ten 2004A9CWE More SpecificDenial of Service
CERT C Secure CodingEXP34-C Ensure a null pointer is not dereferenced
CERT C Secure CodingMEM32-C Detect and handle memory allocation errors
+ White Box Definitions

A weakness where the code path has:

1. start statement that assigns a null value to the pointer

2. end statement that dereferences a pointer

3. the code path does not contain any other statement that assigns value to the pointer

+ Content History
Submissions
7 Pernicious Kingdoms. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
KDM Analytics. 2008-08-01. (External)
added/updated white box definitions
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team. MITRE. 2008-11-24. (Internal)
updated Relationships, Taxonomy_Mappings
CWE Content Team. MITRE. 2009-05-27. (Internal)
updated Demonstrative_Examples
Back to top
Page Last Updated: May 26, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us