{"@ID": "690", "@Name": "Unchecked Return Value to NULL Pointer Dereference", "@Abstraction": "Compound", "@Structure": "Chain", "@Status": "Draft", "Description": "The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.", "Extended_Description": "While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "StartsWith", "@CWE_ID": "252", "@View_ID": "709", "@Chain_ID": "690"}, {"@Nature": "ChildOf", "@CWE_ID": "252", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Class": "Memory-Unsafe", "@Prevalence": "Often"}, {"@Name": "C", "@Prevalence": "Undetermined"}, {"@Name": "C++", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "A typical occurrence of this weakness occurs when an application includes user-controlled input to a malloc() call. The related code might be correct with respect to preventing buffer overflows, but if a large value is provided, the malloc() will fail due to insufficient memory. This problem also frequently occurs when a parsing routine expects that certain elements will always be present. If malformed input is provided, the parser might return NULL. For example, strtok() can return NULL."}}, "Common_Consequences": {"Consequence": [{"Scope": "Availability", "Impact": "DoS: Crash, Exit, or Restart"}, {"Scope": ["Integrity", "Confidentiality", "Availability"], "Impact": ["Execute Unauthorized Code or Commands", "Read Memory", "Modify Memory"], "Note": "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."}]}, "Detection_Methods": {"Detection_Method": [{"Method": "Black Box", "Description": "This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing."}, {"Method": "White Box", "Description": "Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used."}, {"@Detection_Method_ID": "DM-15", "Method": "Automated Dynamic Analysis", "Description": "Use tools that are integrated during\n\t      compilation to insert runtime error-checking mechanisms\n\t      related to memory safety errors, such as AddressSanitizer\n\t      (ASan) for C/C++ [REF-1518].", "Effectiveness": "Moderate", "Effectiveness_Notes": "Crafted inputs are necessary to\n\t      reach the code containing the error, such as generated\n\t      by fuzzers.  Also, these tools may reduce performance,\n\t      and they only report the error condition - not the\n\t      original mistake that led to the\n\t      error."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": "The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "#text": "..."}, "#text": "String username = getUserName();if (username.equals(ADMIN_USER)) {}"}}}, {"@Demonstrative_Example_ID": "DX-1", "Intro_Text": "This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null], "xhtml:i": "/*routine that ensures user_supplied_addr is in the right format for conversion */", "#text": "struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp);\n                           \n                           \n                           \n                           validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name);"}}, "#text": "void host_lookup(char *user_supplied_addr){}"}}, "Body_Text": ["If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().", "Note that this code is also vulnerable to a buffer overflow (CWE-119)."]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2008-1052", "Description": "Large Content-Length value leads to NULL pointer dereference when malloc fails.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-1052"}, {"Reference": "CVE-2006-6227", "Description": "Large message length field leads to NULL pointer dereference when malloc fails.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-6227"}, {"Reference": "CVE-2006-2555", "Description": "Parsing routine encounters NULL dereference when input is missing a colon separator.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-2555"}, {"Reference": "CVE-2003-1054", "Description": "URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-1054"}, {"Reference": "CVE-2008-5183", "Description": "chain: unchecked return value can lead to NULL dereference", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-5183"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "EXP34-C", "Entry_Name": "Do not dereference null pointers", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "ERR08-J", "Entry_Name": "Do not catch NullPointerException or any of its ancestors"}, {"@Taxonomy_Name": "SEI CERT Perl Coding Standard", "Entry_ID": "EXP32-PL", "Entry_Name": "Do not ignore function return values", "Mapping_Fit": "CWE More Specific"}]}, "References": {"Reference": {"@External_Reference_ID": "REF-1518"}}, "Mapping_Notes": {"Usage": "Discouraged", "Rationale": "This CWE entry is a named chain, which combines multiple weaknesses.", "Comments": "Mapping to each separate weakness in the chain would be more precise.", "Reasons": {"Reason": {"@Type": "Other"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2008-04-11", "Submission_Version": "Draft 9", "Submission_ReleaseDate": "2008-04-11"}, "Modification": [{"Modification_Name": "Sean Eidemiller", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated demonstrative examples"}, {"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Description, Detection_Factors, Relationships, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-12-28", "Modification_Version": "1.7", "Modification_ReleaseDate": "2009-12-28", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-06-23", "Modification_Version": "2.7", "Modification_ReleaseDate": "2014-06-23", "Modification_Comment": "updated Modes_of_Introduction, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities"}]}}
