# CWE-476: NULL Pointer Dereference in warnf Function

[checkmate]

Description

The warnf function in ltests.c has a potential vulnerability due to a NULL pointer dereference. This vulnerability is classified under CWE-476 (NULL Pointer Dereference).

Vulnerability Details

1. Function Signature: The target function is warnf(void *ud, const char *msg, int tocont).

2. Dereferencing without Checking: The msg parameter, which is a const char*, is accessed multiple times without any checks for NULL. Specifically:

   • At line 50, *msg == '@' dereferences msg directly.

   • At lines 53, 55, 57, 59, and 61, calls to strcmp(msg, ...) dereference msg again.

3. Consequences: If msg is NULL, all dereferencing operations will cause a NULL pointer dereference, potentially leading to application crashes.

4. Context Analysis: This code is part of a C/C++ project which involves Lua testing and lacks implicit sanitization for NULL pointers. There are no checks to ensure msg is not NULL before its use.

5. Code Review: A review of the function indicates no conditional checks exist for msg != NULL. The function assumes the msg parameter is always valid which is unsafe.

Code Snippet

Here’s the relevant code from ltests.c that illustrates the vulnerability:

void warnf(void *ud, const char *msg, int tocont) {
  char buff[200] = "";
  int lasttocont = 0;
  if (!lasttocont && !tocont && *msg == '@') {
      // ... control message handling
  }
  lasttocont = tocont;
  if (strlen(msg) >= sizeof(buff) - strlen(buff))
      badexit("warnf-buffer overflow (%s)\n", msg, buff);
  strcat(buff, msg);
  // more code...
}Conclusion

The lack of NULL checks on the msg pointer in warnf may lead to unexpected crashes if called with a NULL argument.

Version Information

• Version: 0b73ed8f083c99b5ff88e0822532db7ad8785881