|
|
|
|
CWE-690 Individual Dictionary Definition (Draft 9)
Compound Element ID
| Status: Draft 690 (Compound Element Base: Chain) | | Description | Summary The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. Extended Description While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur. | | Detection Factor | Black box: This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing. White box: Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used. | | Observed Examples | | Reference | Description |
|---|
| CVE-2008-1052 | Large Content-Length value leads to NULL pointer dereference when malloc fails. | | CVE-2006-6227 | Large message length field leads to NULL pointer dereference when malloc fails. | | CVE-2006-2555 | Parsing routine encounters NULL dereference when input is missing a colon separator. | | CVE-2003-1054 | URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference. |
| | Context Notes | A typical occurrence of this weakness occurs when an application
includes user-controlled input to a malloc() call. The related code
might be correct with respect to preventing buffer overflows, but if
a large value is provided, the malloc() will fail due to
insufficient memory. This problem also frequently occurs when a parsing routine expects
that certain elements will always be present. If malformed input is
provided, the parser might return NULL. For example, strtok() can
return NULL. | | Relationships | | | Applicable Platforms | C C++ |
|