CWE-476: NULL Pointer Dereference

Export to Word

Description

The product dereferences a pointer that it expects to be valid but is NULL.

Extended Description

N/A


ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified


Observed Examples (CVEs)

Related Attack Patterns (CAPEC)

N/A


Attack TTPs

N/A

Modes of Introduction

Phase Note
Implementation N/A

Common Consequences

Potential Mitigations

Applicable Platforms


Demonstrative Examples

Intro: This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

Body: If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

void host_lookup(char *user_supplied_addr){ struct hostent *hp; in_addr_t *addr; char hostname[64]; in_addr_t inet_addr(const char *cp); /*routine that ensures user_supplied_addr is in the right format for conversion */ validate_addr_form(user_supplied_addr); addr = inet_addr(user_supplied_addr); hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET); strcpy(hostname, hp->h_name); }

Intro: In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.

String cmd = System.getProperty("cmd"); cmd = cmd.trim();

Intro: This Android application has registered to handle a URL when sent an intent:

Body: The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

... IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); ... public class UrlHandlerReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { if("com.example.URLHandler.openURL".equals(intent.getAction())) { String URL = intent.getStringExtra("URLToOpen"); int length = URL.length(); ... } } }

Intro: Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns.

Body: If a user supplies a malformed request or violates the client policy, the Do method can return a nil response and a non-nil err.

func HandleRequest(client http.Client, request *http.Request) (*http.Response, error) { response, err := client.Do(request) defer response.Body.Close() if err != nil { return nil, err } ... }

Notes

← Back to CWE list