CWE-690 未检查返回值导致空指针解引用

Unchecked Return Value to NULL Pointer Dereference

结构: Chain

Abstraction: Compound

状态: Draft

被利用可能性: unkown


The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.


While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.


  • cwe_Nature: StartsWith cwe_CWE_ID: 252 cwe_View_ID: 709 cwe_Chain_ID: 690

  • cwe_Nature: ChildOf cwe_CWE_ID: 476 cwe_View_ID: 1000 cwe_Ordinal: Primary


Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]


范围 影响 注释
Availability DoS: Crash, Exit, or Restart


Black Box

This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.

White Box

Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.


The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

bad Java

String username = getUserName();
if (username.equals(ADMIN_USER)) {

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

bad C

void host_lookup(char user_supplied_addr){
struct hostent hp;
in_addr_t addr;
char hostname[64];
in_addr_t inet_addr(const char

/routine that ensures user_supplied_addr is in the right format for conversion /

addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

Note that this example is also vulnerable to a buffer overflow (see CWE-119).


标识 说明 链接
CVE-2008-1052 Large Content-Length value leads to NULL pointer dereference when malloc fails.
CVE-2006-6227 Large message length field leads to NULL pointer dereference when malloc fails.
CVE-2006-2555 Parsing routine encounters NULL dereference when input is missing a colon separator.
CVE-2003-1054 URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.
CVE-2008-5183 chain: unchecked return value can lead to NULL dereference


映射的分类名 ImNode ID Fit Mapped Node Name
CERT C Secure Coding EXP34-C CWE More Specific Do not dereference null pointers
The CERT Oracle Secure Coding Standard for Java (2011) ERR08-J Do not catch NullPointerException or any of its ancestors
SEI CERT Perl Coding Standard EXP32-PL CWE More Specific Do not ignore function return values