CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

NULL Pointer Dereference [CWE-476]

This weakness occurs where software dereferences a pointer with a value of NULL instead of a valid address.

Created: September 11, 2012
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Affected software
  4. Severity and CVSS Scoring
  5. Mitigations
  6. References
  7. Latest Related Security Advisories

1. Description

NULL pointer dereference erros are common in C/C++ languages. Pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced. The NULL pointer dereference weakness occurs where application dereferences a pointer that is expected to be a valid address but instead is equal to NULL. The following C++ example causes a NULL pointer dereference error:

  1. // NULL Pointer Dereference [CWE-476] vulnerable code example
  2. // (c) HTB Research
  3. #include <stdio.h>
  4. int *ptr = NULL;
  5. int _tmain(int argc, _TINT* argv[])
  6. {
  7.         *ptr = 17;
  8.         return 0;
  9. }

Once executed, the application will throw an exception with code c0000005, as shown below:

Crash of application: NULL Pointer Dereference [CWE-476] example

The following C++ code demonstrates NULL pointer dereference error within the getaddrinfo() function when argv[2] is empty:

  1. // NULL Pointer Dereference [CWE-476] vulnerable code example
  2. // (c) HTB Research
  3. #undef UNICODE
  4. #include "StdAfx.h"
  5. #include <winsock2.h>
  6. #include <ws2tcpip.h>
  7. #include <stdio.h>
  8. #pragma comment (lib, "Ws2_32.lib")
  9.  
  10. int __cdecl main(int argc, char **argv)
  11. {
  12.         WSADATA wsaData;
  13.         int iResult;
  14.         INT iRetval;
  15.  
  16.         DWORD dwRetval;
  17.         int i = 1;
  18.         struct addrinfo *result = NULL;
  19.         struct addrinfo *ptr = NULL;
  20.         struct addrinfo hints;
  21.  
  22.         if(argc<2){
  23.                 printf("usage: %s <proto> <hostname> <servicename>\n", argv[0]);
  24.                 return 1;
  25.         }
  26.        
  27.         iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
  28.         if (iResult != 0) {
  29.                 printf("WSAStartup failed: %d\n", iResult);
  30.                 return 1;
  31.         }
  32.         ZeroMemory( &hints, sizeof(hints) );
  33.         hints.ai_family = AF_UNSPEC;
  34.         hints.ai_socktype = SOCK_STREAM;
  35.         hints.ai_protocol = IPPROTO_TCP;
  36.         dwRetval = getaddrinfo(argv[2], argv[3], &hints, &result);
  37.  
  38.         if ( dwRetval != 0 ) {
  39.                 printf("getaddrinfo failed with error: %d\n", dwRetval);
  40.                 WSACleanup();
  41.                 return 1;
  42.         }
  43.         printf("getaddrinfo returned success\n");
  44.         return 0;
  45. }

The above code contains a logic error when checking against the number of input parameters in the if(argc<2) statement. As a result, NULL is passed as the first argument of the getaddrinfo() function instead of a valid address.

A number of flaws can cause NULL pointer dereference issues, including race condition, and programming omissions as demonstrated above.

2. Potential impact

In most cases, NULL pointer dereference errors result in the crash of application however, code execution is possible under certain circumstances. Depending on privileges of the application, this weakness can result in a denial of service attack against the entire system or can be used to gain complete control over it.

3. Affected software

Software written in C/C++, Assembly or any other language that makes usage of pointers is potentially vulnerable to this type of weakness.

4. Severity and CVSS Scoring

Since NULL pointer dereference errors mostly result in application crash, they are usually scored with availability impact only. A common CVSS score for locally exploitable vulnerability in client application would look like this:
2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) – Low severity.

If a high-privileged application, such as driver or critical system service contains a NULL pointer dereference error, it should be scored with complete availability impact, since crash of such application may render system inaccessible:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) – Medium severity.

In cases of remote code execution, it is usually scored with medium or high access complexity metric:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) - Critical severity.


We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

5. Mitigations

NULL pointer dereference issues frequently result from rarely encountered error conditions and are most likely to escape detection during testing. The best way to avoid appearance of this weakness is to follow programming best practices:

  • Perform sanity checks on all pointers that can be modified,
  • Check the results of the return value of functions to verify that this value is not NULL before using it,
  • Perform input validation on variables and data stores that may receive input from an external source,
  • Explicitly initialize variables during declaration or before the first usage,
  • Ensure that proper locking APIs are used to lock before the "if" statement and unlock after it when working with multi-threaded or otherwise asynchronous environment.

The following example demonstrates proper validation of pointer before freeing it:

  1. if (pointer1 != NULL) {
  2.         free(pointer1);
  3.         pointer1 = NULL;
  4. }

6. References

  1. CWE-476: NULL Pointer Dereference [cwe.mitre.org]
  2. Null-pointer dereference [owasp.org]

7. Latest HTB Security Advisories with CWE-476


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk