Checkers:LOCRET.GLOB
From current
Reference > C/C++ checkers > LOCRET.GLOB
Function returns address of local variable in a global variable
The LOCRET.GLOB checker finds instances in which a function returns the address of a local variable by writing it into a global variable.
Vulnerability and risk
Local variables are allocated on the stack, so when a function returns a pointer to the variable, it's returning a stack address. The address will be invalidated after returning from the function, so access will probably cause unexpected application behavior, typically a program crash.
Code examples
Vulnerable code example
1 #include <stdlib.h> 2 3 int *buf; 4 5 void func_GLOB(unsigned n) 6 { 7 int aux; 8 if (n == 1) { 9 buf = &aux; 10 } else { 11 buf = (int *)malloc(n * sizeof(int)); 12 } 13 }
Insight flags line 11, indicating that function func_GLOB returns the address of a local variable through a global variable. The address of local variable aux can be assigned to global variable buf, which can be used when the function returns.
Related checkers
Security Guidelines
- CWE-562: Return of Stack Variable Address
- DCL30-C:Declare objects with appropriate storage durations