CWE-562 返回栈上的变量地址

Return of Stack Variable Address

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

扩展描述

Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 758 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 758 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 672 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 825 cwe_View_ID: 1000

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Availability DoS: Crash, Exit, or Restart

可能的缓解方案

Testing

策略:

Use static analysis tools to spot return of the address of a stack variable.

示例代码

The following function returns a stack address.

bad C

char* getName() {
char name[STR_MAX];
fillInName(name);
return name;
}

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CERT C Secure Coding DCL30-C CWE More Specific Declare objects with appropriate storage durations
CERT C Secure Coding POS34-C Do not call putenv() with a pointer to an automatic variable as the argument
Software Fault Patterns SFP1 Glitch in computation