Module cwe_checker_lib::checkers::cwe_476

source ·
Expand description

This module implements a check for CWE-476: NULL Pointer Dereference.

Functions like malloc() may return NULL values instead of pointers to indicate failed calls. If one tries to access memory through this return value without checking it for being NULL first, this can crash the program.

See https://cwe.mitre.org/data/definitions/476.html for a detailed description.

How the check works

Using dataflow analysis we search for an execution path where a memory access using the return value of a symbol happens before the return value is checked through a conditional jump instruction.

Symbols configurable in config.json

The symbols are the functions whose return values are assumed to be potential NULL pointers.

False Positives

  • If a possible NULL pointer is temporarily saved in a memory location that the Pointer Inference analysis could not track, the analysis may miss a correct NULL pointer check and thus generate false positives.
  • The analysis is intraprocedural. If a parameter to a function is a potential NULL pointer, this gets flagged as a CWE hit even if the function may expect NULL pointers in its parameters. If a function returns a potential NULL pointer this gets flagged as a CWE hit, although the function may be supposed to return potential NULL pointers.

False Negatives

  • We do not check whether an access to a potential NULL pointer happens regardless of a prior check.
  • We do not check whether the conditional jump instruction checks specifically for the return value being NULL or something else
  • For functions with more than one return value we do not distinguish between the return values.

Re-exports

Modules

  • state
    Module for the taint tracking state. Reused by the check for CWE-337, hence public.
  • taint
    Taint tracking module. Reused by the check for CWE-337, hence public.

Structs

  • Config
    The configuration struct

Statics

Functions

  • check_cwe
    Run the CWE check. We check whether the return values of symbols configurable in the config file are being checked for Null pointers before any memory access (and thus potential Null pointer dereferences) through these values happen.