Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Redundant Null Check

Abstract
The program can potentially dereference a null-pointer, thereby causing a segmentation fault.
Explanation
Null-pointer exceptions usually occur when one or more of the programmer's assumptions is violated. There are at least three flavors of this problem: check-after-dereference, dereference-after-check, and dereference-after-store. A check-after-dereference error occurs when a program dereferences a pointer that can be null before checking if the pointer is null. Dereference-after-check errors occur when a program makes an explicit check for null, but proceeds to dereference the pointer when it is known to be null. Errors of this type are often the result of a typo or programmer oversight. A dereference-after-store error occurs when a program explicitly sets a pointer to null and dereferences it later. This error is often the result of a programmer initializing a variable to null when it is declared.

Most null-pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null-pointer dereference, the attacker may be able to use the resulting exception to bypass security logic in order to mount a denial of service attack, or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks.

Example 1: In the following code, the programmer assumes that the variable ptr is not NULL. That assumption is made explicit when the programmer dereferences the pointer. This assumption is later contradicted when the programmer checks ptr against NULL. If ptr can be NULL when it is checked in the if statement then it can also be NULL when it dereferenced and may cause a segmentation fault.


ptr->field = val;
...
if (ptr != NULL) {
...
}
Example 2: In the following code, the programmer confirms that the variable ptr is NULL and subsequently dereferences it erroneously. If ptr is NULL when it is checked in the if statement, then a null dereference will occur, thereby causing a segmentation fault.


if (ptr == null) {
ptr->field = val;
...
}
Example 3: In the following code, the programmer forgets that the string '\0' is actually 0 or NULL, thereby dereferencing a null-pointer and causing a segmentation fault.


if (ptr == '\0') {
*ptr = val;
...
}
Example 4: In the following code, the programmer explicitly sets the variable ptr to NULL. Later, the programmer dereferences ptr before checking the object for a null value.


*ptr = NULL;
...
ptr->field = val;
...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[4] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[6] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[22] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
[23] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
desc.controlflow.cpp.redundant_null_check
Abstract
The program can dereference a null-pointer, thereby causing a null-pointer exception.
Explanation
Null-pointer exceptions usually occur when one or more of the programmer's assumptions is violated. Specifically, dereference-after-check errors occur when a program makes an explicit check for null, but proceeds to dereference the object when it is known to be null. Errors of this type are often the result of a typo or programmer oversight.

Most null-pointer issues result in general software reliability problems, but if attackers can intentionally cause the program to dereference a null-pointer, they can use the resulting exception to mount a denial of service attack or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks.

Example 1: In the following code, the programmer confirms that the variable foo is null and subsequently dereferences it erroneously. If foo is null when it is checked in the if statement, then a null dereference will occur, thereby causing a null-pointer exception.


if (foo == null) {
foo.setBar(val);
...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[4] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[6] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[22] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
[23] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
desc.internal.java.null_dereference_dereference_after_check