-4

I am running Fortify SCA and Applications 21.1.1 on a C project and I'm obtaining a "Null pointer dereference" error in the following line:

int parameter1 = 1;
char *parameter2;
int foo = 1;

sprintf(parameter2, "%d", foo); 

pFunction(parameter1, parameter2, NULL);

In a header file, pFunction is declared as:

typedef int(*Function)(int a, char* b, char* c);

extern Function pFunction;

pFunction definition is in an external file which I don't have access to.

I am pretty sure that is a false positive error in Fortify. Is there a suitable workaround for this?

Leonardo Araujo
  • 114
  • 8
  • 2
    The code fragments presented do not give me any reason to conclude that Fortify is wrong. That might change if you presented a [mre]. – John Bollinger Dec 02 '21 at 18:13
  • 2
    There is not enough information. Please post [mcve]. – Eugene Sh. Dec 02 '21 at 18:13
  • Which information is missing? – Leonardo Araujo Dec 02 '21 at 18:14
  • Do you not see the hyperlinks in the previous two comments? – John Bollinger Dec 02 '21 at 18:15
  • As said - [mcve]. – Eugene Sh. Dec 02 '21 at 18:15
  • Yes, I read and it is not clear to me which information is missing. – Leonardo Araujo Dec 02 '21 at 18:16
  • There is no information to show that `pFunction` is not `NULL`. – Ian Abbott Dec 02 '21 at 18:17
  • 1
    I'm sorry, but I do not accept that you have had enough time to follow one of those hyperlinks and read and digest the material on the linked page. Do that. If you do not understand the explanation there -- and you certainly don't right now -- then you may ask specific questions about it. – John Bollinger Dec 02 '21 at 18:18
  • Create a minimal program that we can compile and run or could analyze using Fortify (for anyone who has this software) or other tools to reproduce the error you get. Your code snippets are not sufficient to analyze the problem. – Bodo Dec 02 '21 at 18:21
  • Updated the post. I believe it is now reproducible. – Leonardo Araujo Dec 02 '21 at 18:27
  • No, it's not. It is not [mcve]. There is no relation between the `typedef` you are showing and the function definition. – Eugene Sh. Dec 02 '21 at 18:29
  • I don't have information about the `typedef` in the code I am working with. – Leonardo Araujo Dec 02 '21 at 18:30
  • 1
    Probably unrelated, but this line `memset(b, "*", strlen(b));` does not make sense. If you want to fill the buffer with `*` characters, it should be `'*'`, not `"*"`. `strlen` won't work if `b` is not initialized to a valid string before. – Eugene Sh. Dec 02 '21 at 18:30
  • 1
    The code now presented in the question is not a MRE because it is inconsistent: the two declarations of `pFunction` declare different, incompatible types. They do not go with each other, and it is unclear which is supposed to go with the function call in the first fragment. – John Bollinger Dec 02 '21 at 18:37
  • Which of the lines in the snippet might be "the following line?" You use an unitialized pointer as buffer for `sprintf`. It may or may not be `NULL` but it is an error. – Gerhardh Dec 02 '21 at 18:56
  • @LeonardoAraujo Whether or not it is, in fact, a "null dereference" error, do you understand the fatal problem in the line `sprintf(parameter2, "%d", foo);`? – Steve Summit Dec 02 '21 at 19:08

1 Answers1

1

The variable parameter2 declared like

char *parameter2;

either is uninitialized and has an indeterminate value if it is declared in a block scope or represents a null pointer if it is declared in the file scope.

In the both cases if the first argument of a function call is equal to 1 then this statement

memset(b, '*', strlen(b));

invokes undefined behavior.

Pay attention to that the typedef declaration of the function pointer type

typedef int(*Function)(int a, char* b, char* c);

does not correspond to the function declaration

void pFunction(int a, char *b, char *c)

They differ in the return type.

Vlad from Moscow
  • 301,070
  • 26
  • 186
  • 335
  • You seem to have missed a more fundamental problem with the two declarations of `pFunction`: one declares it as a function, but the other declares it as a pointer (to a function). These are incompatible. – John Bollinger Dec 02 '21 at 18:42
  • @JohnBollinger I see this. But in the context of the question it does not make a great sense because I am sure the code is typed with many typos,:) – Vlad from Moscow Dec 02 '21 at 18:44
  • The string is initialized in the code and the function is defined on a external file which I don't have access to. The only reference of the function is the header file. – Leonardo Araujo Dec 02 '21 at 18:53
  • @LeonardoAraujo When you needed to provide a relevant code without typos at least where the pointer name and the function name are different. – Vlad from Moscow Dec 02 '21 at 19:00