CWE-476¶

NULL Pointer Dereference. [Pointer-Issues, Improper-Adherence-To-Coding-Standards, Top25-2024-21]

Required inputs: IR, StaticSemanticAnalysis

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

Demonstrative Examples

Example 1

While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.

if (pointer1 != NULL) {
        /* make use of pointer1 */

        /* ... */
    }

If you are working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.

Example 2

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

Example Language:C
    void host_lookup(char *user_supplied_addr){
        struct hostent *hp;
        in_addr_t *addr;
        char hostname[64];
        in_addr_t inet_addr(const char *cp);

        /*routine that ensures user_supplied_addr is in the right format for conversion */

        validate_addr_form(user_supplied_addr);
        addr = inet_addr(user_supplied_addr);
        hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
        strcpy(hostname, hp->h_name);
    }

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

Note that this code is also vulnerable to a buffer overflow (CWE-119).

Example 3

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.

Example Language:Java (Unsupported language for documentation only)
    String cmd = System.getProperty("cmd");
    cmd = cmd.trim();

Example 4

This Android application has registered to handle a URL when sent an intent:

Example Language:Java (Unsupported language for documentation only)
    ...
    IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");
    MyReceiver receiver = new MyReceiver();
    registerReceiver(receiver, filter);
    ...

    public class UrlHandlerReceiver extends BroadcastReceiver {
        @Override
        public void onReceive(Context context, Intent intent) {
            if("com.example.URLHandler.openURL".equals(intent.getAction())) {
                String URL = intent.getStringExtra("URLToOpen");
                int length = URL.length();

            ...
            }
        }
    }

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Example 5

Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns.

Example Language:Go (Unsupported language for documentation only)
    func HandleRequest(client http.Client, request *http.Request) (*http.Response, error) {
        response, err := client.Do(request)
        defer response.Body.Close()
        if err != nil {
            return nil, err
        }
        ...
    }

If a user supplies a malformed request or violates the client policy, the Do method can return a nil response and a non-nil err.

This HandleRequest Function evaluates the close before checking the error. A deferred call's arguments are evaluated immediately, so the defer statement panics due to a nil response.

Possible Messages

Key	Text	Severity	Disabled
null_deref	Pointer is NULL at dereference	None	False
null_this_arg	Pointer passed in as argument for this is NULL	None	False
possible_null_deref	Pointer may be NULL at dereference	None	False
possible_null_deref_improbable	Pointer may be NULL at dereference (improbable)	None	False
possible_null_this_arg	Pointer passed in as argument for this may be NULL	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

filter_multiple_instances¶

filter_multiple_instances : bool = False

Whether a null pointer dereferenced multiple times in the same function should be reported only once.

report_null_this¶

report_null_this : bool = False

Whether a null pointer as argument for the this-parameter should be reported in non-virtual calls as well.

witness_paths¶

witness_paths : bool = True

Whether witness paths should be determined and included in the issue.

Axivion Suite 7.12.0

Navigation