Unchecked Return Value to NULL Pointer Dereference
Definition in a New Window
Compound Element ID: 690 (Compound Element Base: Chain)
Status: Draft
Description
Description Summary
The product does not check for an error after calling a
function that can return with a NULL pointer if the function fails, which leads
to a resultant NULL pointer dereference.
Extended Description
While unchecked return value weaknesses are not limited to returns of NULL
pointers (see the examples in CWE-252), functions often return NULL to
indicate an error status. When this error condition is not checked, a NULL
pointer dereference can occur.
Applicable Platforms
Languages
C
C++
Detection Factors
Black Box:
This typically occurs in rarely-triggered error conditions, reducing
the chances of detection during black box testing.
White Box:
Code analysis can require knowledge of API behaviors for library
functions that might return NULL, reducing the chances of detection when
unknown libraries are used.
Demonstrative Examples
Example 1
The code below makes a call to the getUserName() function but
doesn't check the return value before dereferencing (which may cause a
NullPointerException).
URI parsing API sets argument to NULL when a
parsing failure occurs, such as when the Referer header is missing a
hostname, leading to NULL dereference.
Other Notes
A typical occurrence of this weakness occurs when an application includes
user-controlled input to a malloc() call. The related code might be correct
with respect to preventing buffer overflows, but if a large value is
provided, the malloc() will fail due to insufficient memory. This problem
also frequently occurs when a parsing routine expects that certain elements
will always be present. If malformed input is provided, the parser might
return NULL. For example, strtok() can return NULL.
Description
Weakness BaseUnchecked Return Value - (252)Unchecked Return Value - (252)
