Description
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.
Potential Impact
Availability
DoS: Crash, Exit, or Restart
Integrity, Confidentiality, Availability
Execute Unauthorized Code or Commands, Read Memory, Modify Memory
Demonstrative Examples
String username = getUserName();if (username.equals(ADMIN_USER)) {...}void host_lookup(char *user_supplied_addr){
struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp);
/*routine that ensures user_supplied_addr is in the right format for conversion */
validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name);
}Detection Methods
- Black Box — This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.
- White Box — Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.
- Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2008-1052 | Large Content-Length value leads to NULL pointer dereference when malloc fails. |
| CVE-2006-6227 | Large message length field leads to NULL pointer dereference when malloc fails. |
| CVE-2006-2555 | Parsing routine encounters NULL dereference when input is missing a colon separator. |
| CVE-2003-1054 | URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference. |
| CVE-2008-5183 | chain: unchecked return value can lead to NULL dereference |
Related Weaknesses
Taxonomy Mappings
- CERT C Secure Coding: EXP34-C — Do not dereference null pointers
- The CERT Oracle Secure Coding Standard for Java (2011): ERR08-J — Do not catch NullPointerException or any of its ancestors
- SEI CERT Perl Coding Standard: EXP32-PL — Do not ignore function return values
Frequently Asked Questions
What is CWE-690?
CWE-690 (Unchecked Return Value to NULL Pointer Dereference) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Compound-level weakness. The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
How can CWE-690 be exploited?
Attackers can exploit CWE-690 (Unchecked Return Value to NULL Pointer Dereference) to dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-690?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-690?
CWE-690 is classified as a Compound-level weakness (Complex abstraction). It has been observed in 5 real-world CVEs.