Function returns address of local variable

The LOCRET.ARG checker finds instances in which a function returns the address of a local variable by writing it into memory referenced by its argument.

Vulnerability and risk

Local variables are allocated on the stack, so when a function returns a pointer to the variable, it's returning a stack address. The address will be invalidated after returning from the function, so access will probably cause unexpected application behavior, typically a program crash.

Vulnerable code example

1  #include <stdlib.h>
3  void func_ARG(int **pp, unsigned n)
4  {
5      int aux;
6      if (n == 1) {
7          *pp = &aux;
8      } else {
9          *pp = (int *)malloc(n * sizeof(int));
10     }
11 }

Klocwork flags line 7, indicating that function func_ARG returns the address of a local variable through its argument. The address of local variable aux can be assigned to *pp, which can be used when the function returns.

Related checkers

Security training

Application security training materials provided by Secure Code Warrior.