[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97389

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

NULL Pointer Dereference

ID: 476Date: (C)2012-05-14   (M)2017-11-15
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Extended Description

NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

Likelihood of Exploit: Medium

Applicable Platforms
Language: C
Language: C++
Language: Java
Language: .NET

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Availability
 
DoS: crash / exit / restart
 
NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.
 
Integrity
Confidentiality
Availability
 
Execute unauthorized code or commands
 
In very rare circumstances and environments, code execution is possible.
 

Detection Methods

NameDescriptionEffectivenessNotes
Automated Dynamic Analysis
 
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
 
Moderate
 
 
Manual Dynamic Analysis
 
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
 
  

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented.
 
  
Requirements
 
 The choice could be made to use a language that is not susceptible to these issues.
 
  
Implementation
 
 Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
 
Moderate
 
Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment.
This solution does not handle the use of improperly initialized variables (CWE-665).
 
Architecture and Design
 
 Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
 
  
Implementation
 
 Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
 
  
Testing
 
 Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.
 
  

Relationships

Related CWETypeViewChain
CWE-476 ChildOf CWE-890 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.
  2. This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. (Demonstrative Example Id DX-1)
  3. While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.

Observed Examples

  1. CVE-2005-3274 : race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
  2. CVE-2002-1912 : large number of packets leads to NULL dereference
  3. CVE-2005-0772 : packet with invalid error status value triggers NULL dereference
  4. CVE-2009-4895 : chain: race condition for an argument value, possibly resulting in NULL dereference
  5. CVE-2009-3547 : chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
  6. CVE-2009-3620 : chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
  7. CVE-2009-2698 : chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference
  8. CVE-2009-2692 : chain: uninitialized function pointers can be dereferenced allowing code execution
  9. CVE-2009-0949 : chain: improper initialization of memory can lead to NULL dereference
  10. CVE-2008-3597 : chain: game server can access player data structures before initialization has happened leading to NULL dereference
  11. CVE-2008-5183 : chain: unchecked return value can lead to NULL dereference
  12. CVE-2004-0079 : SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
  13. CVE-2004-0365 : Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.
  14. CVE-2003-1013 : Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.
  15. CVE-2003-1000 : Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.
  16. CVE-2004-0389 : Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.
  17. CVE-2004-0119 : OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.
  18. CVE-2004-0458 : Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.
  19. CVE-2002-0401 : Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
A weakness where the code path has:
1. start statement that assigns a null value to the pointer
2. end statement that dereferences a pointer
3. the code path does not contain any other statement that assigns value to the pointer

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Null Dereference
 
 
CLASP  Null-pointer dereference
 
 
PLOVER  Null Dereference (Null Pointer Dereference)
 
 
OWASP Top Ten 2004 A9
 
Denial of Service
 
CWE_More_Specific
 
CERT C Secure Coding EXP34-C
 
Ensure a null pointer is not dereferenced
 
 
CERT C Secure Coding MEM32-C
 
Detect and handle memory allocation errors
 
 
CERT C++ Secure Coding EXP34-CPP
 
Ensure a null pointer is not dereferenced
 
 
CERT C++ Secure Coding MEM32-CPP
 
Detect and handle memory allocation errors
 
 

References:
None

© 2013 SecPod Technologies