CWE-690 未检查返回值导致空指针解引用
Unchecked Return Value to NULL Pointer Dereference
结构: Chain
Abstraction: Compound
状态: Draft
被利用可能性: unkown
基本描述
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
扩展描述
While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.
相关缺陷
-
cwe_Nature: StartsWith cwe_CWE_ID: 252 cwe_View_ID: 709 cwe_Chain_ID: 690
-
cwe_Nature: ChildOf cwe_CWE_ID: 476 cwe_View_ID: 1000 cwe_Ordinal: Primary
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | DoS: Crash, Exit, or Restart |
检测方法
Black Box
White Box
示例代码
例
The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).
bad Java
if (username.equals(ADMIN_USER)) {
}
例
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
bad C
in_addr_t addr;
char hostname[64];
in_addr_t inet_addr(const char cp);
/routine that ensures user_supplied_addr is in the right format for conversion /
validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);
}
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().
Note that this example is also vulnerable to a buffer overflow (see CWE-119).
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2008-1052 | Large Content-Length value leads to NULL pointer dereference when malloc fails. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1052 |
| CVE-2006-6227 | Large message length field leads to NULL pointer dereference when malloc fails. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6227 |
| CVE-2006-2555 | Parsing routine encounters NULL dereference when input is missing a colon separator. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2555 |
| CVE-2003-1054 | URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1054 |
| CVE-2008-5183 | chain: unchecked return value can lead to NULL dereference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CERT C Secure Coding | EXP34-C | CWE More Specific | Do not dereference null pointers |
| The CERT Oracle Secure Coding Standard for Java (2011) | ERR08-J | Do not catch NullPointerException or any of its ancestors | |
| SEI CERT Perl Coding Standard | EXP32-PL | CWE More Specific | Do not ignore function return values |
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论