CWE-690¶

Unchecked Return Value to NULL Pointer Dereference. [Improper-Check-Or-Handling-Of-Exceptional-Conditions]

Required inputs: IR

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.

Demonstrative Examples

Example 1

The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

Example Language:Java (Unsupported language for documentation only)
    String username = getUserName();
    if (username.equals(ADMIN_USER)) {
        ...
    }

Example 2

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

Example Language:C
    void host_lookup(char *user_supplied_addr){
        struct hostent *hp;
        in_addr_t *addr;
        char hostname[64];
        in_addr_t inet_addr(const char *cp);

        /*routine that ensures user_supplied_addr is in the right format for conversion */

        validate_addr_form(user_supplied_addr);
        addr = inet_addr(user_supplied_addr);
        hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
        strcpy(hostname, hp->h_name);
    }

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

Note that this code is also vulnerable to a buffer overflow (CWE-119).

Possible Messages

Key	Text	Severity	Disabled
unchecked_dereference	Unchecked dereference.	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

allow_non_null_comparison¶

allow_non_null_comparison : bool = True

Whether to allow comparisons to non-null objects (e.g., &x for a given variable x) as checks.

dereference_filter¶

dereference_filter

Type: typing.Callable[[Direct_Object_Selection_Interface], bool] | None

Default: functools.partial(<function pointer_return_filter at 0x7f6f18ee7910>, function_returns=set())

Filter predicate for dereferenced objects.

ignored_object_types¶

ignored_object_types : set[bauhaus.ir.LIR_Class_Name] = set()

Types of LIR classes which are allowed to be dereferenced without further checks.

null_check_macro¶

null_check_macro : bauhaus.analysis.config.MacroName = ''

Name of macro used to represent check for NULL.

null_check_routines¶

null_check_routines : set[bauhaus.analysis.config.QualifiedName] = set()

Qualified names of functions used to realize a null check.

routines_returning_valid_pointers¶

routines_returning_valid_pointers : set[bauhaus.analysis.config.QualifiedName] = {'std::make_shared', 'std::make_unique'}

Routines that always return valid pointers. No check is enforced for variables defined using the return value of one of the routines.

types_ignored_by_qualified_name¶

types_ignored_by_qualified_name : set[bauhaus.analysis.config.QualifiedName] = set()

Fully qualified names of types to be considered as non-null without further check.

Axivion Suite 7.12.0

Navigation