Module cwe_checker_lib::checkers::cwe_476
source · Expand description
This module implements a check for CWE-476: NULL Pointer Dereference.
Functions like malloc()
may return NULL values instead of pointers to indicate
failed calls. If one tries to access memory through this return value without
checking it for being NULL first, this can crash the program.
See https://cwe.mitre.org/data/definitions/476.html for a detailed description.
How the check works
Using dataflow analysis we search for an execution path where a memory access using the return value of a symbol happens before the return value is checked through a conditional jump instruction.
Symbols configurable in config.json
The symbols are the functions whose return values are assumed to be potential NULL pointers.
False Positives
- If a possible NULL pointer is temporarily saved in a memory location that the Pointer Inference analysis could not track, the analysis may miss a correct NULL pointer check and thus generate false positives.
- The analysis is intraprocedural. If a parameter to a function is a potential NULL pointer, this gets flagged as a CWE hit even if the function may expect NULL pointers in its parameters. If a function returns a potential NULL pointer this gets flagged as a CWE hit, although the function may be supposed to return potential NULL pointers.
False Negatives
- We do not check whether an access to a potential NULL pointer happens regardless of a prior check.
- We do not check whether the conditional jump instruction checks specifically for the return value being NULL or something else
- For functions with more than one return value we do not distinguish between the return values.
Re-exports
pub use taint::*;
Modules
- Module for the taint tracking state. Reused by the check for CWE-337, hence public.
- Taint tracking module. Reused by the check for CWE-337, hence public.
Structs
- The configuration struct
Statics
- The module name and version
Functions
- Run the CWE check. We check whether the return values of symbols configurable in the config file are being checked for Null pointers before any memory access (and thus potential Null pointer dereferences) through these values happen.