NPD.GEN.CALL.MIGHT

Possible assigned null pointer may be dereferenced through a conditional function call

An attempt to access data using a null pointer causes a runtime error. When a program dereferences a pointer that is expected to be valid but turns out to be null, a null pointer dereference occurs. Null-pointer dereference defects often occur due to ineffective error handling or race conditions, and typically cause abnormal program termination. Before a pointer is dereferenced in C/C++ code, it must be checked to confirm that it is not equal to null.

The NPD checkers look for instances in which a null or possibly null pointer is dereferenced.

The NPD.GEN.CALL.MIGHT checker flags situations in which a pointer that's possibly been assigned a constant null value locally might subsequently be passed to a function that dereferences it without checking it for null.

Vulnerability and risk

Null-pointer dereferences usually result in the failure of the process. These issues typically occur due to ineffective exception handling.

Mitigation and prevention

To avoid this vulnerability:

• Check for a null value in the results of all functions that return values
• Make sure all external inputs are validated
• Explicitly initialize variables
• Make sure that unusual exceptions are handled correctly

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
  void reassign(int *argument, int *p) {
    if (goodEnough(argument)) return;
    *argument = *p;
  }
  
  void npd_gen_call_might(int *argument) {
    int *p = NULL;
    if (someCondition()) {
      p = f();
   }
   reassign(argument, p);
 }

Klocwork reports a defect in this example because *p, which may be equal to null depending on the result of function npd_gen_call_might, may be passed to function reassign, in which it's dereferenced. This type of vulnerability can produce unexpected and unintended results.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
  void reassign(int *argument, int *p) {
    if (goodEnough(argument)) return;
    *argument = *p;
  }
  
  void npd_gen_call_might(int *argument) {
    int *p = NULL;
    if (someCondition()) {
      p = f();
   }
   if (p != 0) reassign(argument, p);
 }

In the fixed version, *p is checked for null in line 11 before the dereference.

Related checkers

• NPD.CHECK.CALL.MIGHT
• NPD.CHECK.CALL.MUST
• NPD.CHECK.MIGHT
• NPD.CHECK.MUST
• NPD.CONST.CALL
• NPD.CONST.DEREF
• NPD.FUNC.CALL.MIGHT
• NPD.FUNC.CALL.MUST
• NPD.FUNC.MIGHT
• NPD.FUNC.MUST
• NPD.GEN.CALL.MUST
• NPD.GEN.MIGHT
• NPD.GEN.MUST

External guidance

• CERT EXP34-C: Do not dereference null pointers
• CERT MEM52-CPP: Detect and handle memory allocation errors
• CERT STR51-CPP: Do not attempt to create a std::string from a null pointer
• CWE-476: NULL Pointer Dereference

Security training

Application security training materials provided by Secure Code Warrior.

• Null Dereference Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.