CWE-476 空指针解引用

NULL Pointer Dereference

结构: Simple

Abstraction: Base

状态: Stable

被利用可能性: Medium

基本描述

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

扩展描述

NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 710 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 754 cwe_View_ID: 1000

• cwe_Nature: ChildOf cwe_CWE_ID: 754 cwe_View_ID: 1003 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C#', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

检测方法

DM-2 Automated Dynamic Analysis

DM-12 Manual Dynamic Analysis

可能的缓解方案

Implementation

策略:

If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented.

Requirements

策略:

The choice could be made to use a language that is not susceptible to these issues.

Implementation

策略:

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Architecture and Design

策略:

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Implementation

策略:

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Testing

策略:

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

示例代码

例

While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.

good

If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.

例

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

bad C

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference would then occur in the call to strcpy().

Note that this example is also vulnerable to a buffer overflow (see CWE-119).

例

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.

bad Java

例

This application has registered to handle a URL when sent an intent:

bad Java

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

分析过的案例

分类映射

引用

• REF-1031 Null pointer / Null dereferencing

• REF-1032 Null Reference Creation and Null Pointer Dereference

• REF-1033 NULL Pointer Dereference [CWE-476]

文章来源于互联网:scap中文网