CWE-562 返回栈上的变量地址

Return of Stack Variable Address

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown


A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.


Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.


  • cwe_Nature: ChildOf cwe_CWE_ID: 758 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 758 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 672 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 825 cwe_View_ID: 1000


Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]


范围 影响 注释
Availability DoS: Crash, Exit, or Restart




Use static analysis tools to spot return of the address of a stack variable.


The following function returns a stack address.

bad C

char* getName() {
char name[STR_MAX];
return name;


映射的分类名 ImNode ID Fit Mapped Node Name
CERT C Secure Coding DCL30-C CWE More Specific Declare objects with appropriate storage durations
CERT C Secure Coding POS34-C Do not call putenv() with a pointer to an automatic variable as the argument
Software Fault Patterns SFP1 Glitch in computation