Expand description

This module implements a check for CWE-476: NULL Pointer Dereference.

Functions like malloc() may return NULL values instead of pointers to indicate failed calls. If one tries to access memory through this return value without checking it for being NULL first, this can crash the program.

See https://cwe.mitre.org/data/definitions/476.html for a detailed description.

How the check works

Using dataflow analysis we search for an execution path where a memory access using the return value of a symbol happens before the return value is checked through a conditional jump instruction.

Symbols configurable in config.json

The symbols are the functions whose return values are assumed to be potential NULL pointers.

False Positives

  • If a possible NULL pointer is temporarily saved in a memory location that the Pointer Inference analysis could not track, the analysis may miss a correct NULL pointer check and thus generate false positives.
  • The analysis is intraprocedural. If a parameter to a function is a potential NULL pointer, this gets flagged as a CWE hit even if the function may expect NULL pointers in its parameters. If a function returns a potential NULL pointer this gets flagged as a CWE hit, although the function may be supposed to return potential NULL pointers.

False Negatives

  • We do not check whether an access to a potential NULL pointer happens regardless of a prior check.
  • We do not check whether the conditional jump instruction checks specifically for the return value being NULL or something else
  • For functions with more than one return value we do not distinguish between the return values.

Structs

  • The configuration struct.

Statics

Functions