Corgea LogoCorgea Security Hub

CWE-476: NULL Pointer Dereference

Learn about CWE-476 (NULL Pointer Dereference), its security impact, exploitation methods, and prevention guidelines.

What is NULL Pointer Dereference?

• Overview: A NULL Pointer Dereference occurs when a program attempts to use a pointer that is expected to hold a valid memory address but instead holds a NULL value, leading to a program crash or undefined behavior.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by manipulating input data or conditions to cause a pointer to be NULL at a critical point.
  • Common attack patterns involve inducing crashes in software, potentially leading to Denial of Service (DoS) or using crash reports to gather information about the application.

• Security Impact:

  • Direct consequences include application crashes and potential security bypasses.
  • Potential cascading effects may involve system instability or vulnerability to further attacks.
  • Business impact could include service downtime, loss of customer trust, and potential data breaches if exploited in conjunction with other vulnerabilities.

• Prevention Guidelines:

  • Specific code-level fixes include checking pointer validity before dereferencing and ensuring proper initialization of pointers.
  • Security best practices involve thorough input validation, robust error handling, and the use of static analysis tools to detect potential NULL dereferences.
  • Recommended tools and frameworks include static code analyzers like Coverity or SonarQube, and adopting languages or frameworks that inherently manage pointers better, such as those with automatic memory management.
Corgea can automatically detect and fix NULL Pointer Dereference in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: C, C++, Java, C#, Go

Affected Technologies: Not specified

Vulnerable Code Example

C Example

#include <stdio.h>
#include <stdlib.h>

// Function that processes an integer array
void processArray(int *arr, size_t size) {
    // Vulnerability: No check if 'arr' is NULL before accessing it
    for(size_t i = 0; i < size; i++) {
        arr[i] *= 2; // Double each element
    }
}

int main() {
    int *numbers = NULL; // Assumed to be allocated dynamically elsewhere
    size_t size = 5;

    processArray(numbers, size); // Passing a NULL pointer
    return 0;
}

Explanation

In this vulnerable code example, the function processArray is called with a NULL pointer (numbers). The function attempts to dereference this NULL pointer without checking if it is valid, which can lead to undefined behavior and potential crashes.

How to fix NULL Pointer Dereference?

To fix the NULL pointer dereference vulnerability, perform a NULL check before attempting to dereference any pointers. This ensures that the pointer is valid and points to a memory location that can be safely accessed. Here are the best practices to follow:

  1. Validate Inputs: Always validate pointers before using them. If a pointer is NULL, handle the scenario gracefully, such as by returning an error or using a default behavior.
  2. Error Handling: Implement proper error handling to manage situations where pointers are unexpectedly NULL.
  3. Documentation: Clearly document functions, indicating whether they accept NULL pointers and what the expected behavior is.

Fixed Code Example

#include <stdio.h>
#include <stdlib.h>

// Function that processes an integer array
void processArray(int *arr, size_t size) {
    // Fix: Check if 'arr' is NULL before accessing it
    if (arr == NULL) {
        fprintf(stderr, "Error: NULL pointer passed to processArray\n");
        return; // Early exit to prevent dereferencing a NULL pointer
    }

    for(size_t i = 0; i < size; i++) {
        arr[i] *= 2; // Double each element
    }
}

int main() {
    int *numbers = NULL; // Assumed to be allocated dynamically elsewhere
    size_t size = 5;

    // Now safely handles the NULL pointer scenario with error messaging
    processArray(numbers, size);
    return 0;
}

Explanation

In the fixed example, a NULL check is added at the beginning of the processArray function. If the pointer is NULL, the function logs an error message and exits early, preventing any attempt to dereference the NULL pointer. This not only prevents potential crashes but also improves the robustness of the code by providing clear error feedback.

The code examples now adhere to best practices for C programming, ensuring that the vulnerability is clearly demonstrated and the fix is appropriately implemented.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-476: NULL Pointer Dereference and get remediation guidance

Start for free and no credit card needed.