LOCRET.GLOB
Function returns address of local variable in a global variable
The LOCRET.GLOB checker finds instances in which a function returns the address of a local variable by writing it into a global variable.
Vulnerability and risk
Local variables are allocated on the stack, so when a function returns a pointer to the variable, it's returning a stack address. The address will be invalidated after returning from the function, so access will probably cause unexpected application behavior, typically a program crash.
Vulnerable code example
Copy
#include <stdlib.h>
int *buf;
void func_GLOB(unsigned n)
{
int aux;
if (n == 1) {
buf = &aux;
} else {
buf = (int *)malloc(n * sizeof(int));
}
}
Klocwork flags line 13 where control leaves function func_GLOB. This indicates that the address of the local variable, aux, which is assigned to a global variable at line 9, is accessible through that global variable after the function returns.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.