Skip to content

Null Pointer Dereference

Rule ID

MI106

Definition

The software dereferences a pointer that is expected to be valid, but is NULL, typically causing a crash or exit.

Example

See one of the applicable code examples from CWE.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
  in_addr_t *addr;
  char hostname[64];
  in_addr_t inet_addr(const char *cp);

  /*routine that ensures user_supplied_addr is in the right format for conversion */

  validate_addr_form(user_supplied_addr);
  addr = inet_addr(user_supplied_addr);
  hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
  strcpy(hostname, hp->h_name);
}

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

References

  • Common Weakness Enumeration: CWE-476
  • Common Weakness Enumeration: CWE-690