LOCRET.RET

Function returns address of local variable in a return

The LOCRET.RET checker finds instances in which a function returns the address of a local variable through an expression in the return statement.

Vulnerability and risk

Local variables are allocated on the stack, so when a function returns a pointer to the variable, it's returning a stack address. The address will be invalidated after returning from the function, so access will probably cause unexpected application behavior, typically a program crash.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
13
  #include <stdlib.h>
  
  int *func_RET(unsigned n)
  {
      int aux;
      int *p;
      if (n == 1) {
          p = &aux;
      } else {
         p = (int *)malloc(n * sizeof(int));
     }
     return p;
 }

Klocwork flags line 12, indicating that function func_RET returns the address of a local variable through the return statement. The address of local variable aux can be assigned to variable 'p', which is returned.

Related checkers

• LOCRET.ARG
• LOCRET.GLOB

External guidance

• CERT DCL30-C: Declare objects with appropriate storage durations
• CERT EXP54-CPP: Do not access an object outside of its lifetime
• CERT EXP61-CPP: A lambda object must not outlive any of its reference captured objects
• CWE-416: Use After Free
• CWE-562: Return of Stack Variable Address
• CWE-672: Operation on a Resource after Expiration or Release

Security training

Application security training materials provided by Secure Code Warrior.

• Use After Free Training Video - Test your skills with a training example