logo

Unchecked Return Value to NULL Pointer Dereference

Draft Compound
Structure: Chain
Description

This vulnerability occurs when a program calls a function that can return a NULL pointer to signal failure, but the code does not check for this error condition before using the returned value, leading to a crash or unexpected behavior from dereferencing the NULL pointer.

Extended Description

Many functions in C and similar languages use a NULL pointer return value to indicate that an operation failed, such as when memory allocation fails or a required resource isn't found. If a developer assumes the call was always successful and uses the return value directly—for example, by trying to read or write to that memory location—the program will attempt to dereference NULL, typically causing a segmentation fault and a crash. This is a specific and common case of a broader class of unchecked return value errors. While not all functions signal errors with NULL (some use special integers or status codes), the pattern of failing to validate a function's output before proceeding is a frequent source of instability. Properly handling these potential NULL returns by adding checks is a fundamental practice for writing robust and secure software that can gracefully manage unexpected states.
Common Consequences 2
Scope: Availability

Impact: DoS: Crash, Exit, or Restart

Scope: IntegrityConfidentialityAvailability

Impact: Execute Unauthorized Code or CommandsRead MemoryModify Memory

In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.
Detection Methods 2
Black Box
This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.
White Box
Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.
Demonstrative Examples 2
The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

Code Example:

Bad
Java
java

ID : DX-1

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

Code Example:

Bad
C
c

/*routine that ensures user_supplied_addr is in the right format for conversion /

c
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (Unchecked Return Value), a NULL pointer dereference (NULL Pointer Dereference) would then occur in the call to strcpy().
Note that this code is also vulnerable to a buffer overflow (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Observed Examples 5
CVE-2008-1052Large Content-Length value leads to NULL pointer dereference when malloc fails.
CVE-2006-6227Large message length field leads to NULL pointer dereference when malloc fails.
CVE-2006-2555Parsing routine encounters NULL dereference when input is missing a colon separator.
CVE-2003-1054URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.
CVE-2008-5183chain: unchecked return value can lead to NULL dereference
Applicable Platforms
Languages:
C : UndeterminedC++ : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
StartsWith: Unchecked Return Value (CWE-252)
ChildOf: Unchecked Return Value (CWE-252)
Taxonomy Mapping
  • CERT C Secure Coding
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • SEI CERT Perl Coding Standard