Checkers:LOCRET.RET
From current
Reference > C/C++ checkers > LOCRET.RET
Function returns address of local variable in a return
The LOCRET.RET checker finds instances in which a function returns the address of a local variable through an expression in the return statement.
Vulnerability and risk
Local variables are allocated on the stack, so when a function returns a pointer to the variable, it's returning a stack address. The address will be invalidated after returning from the function, so access will probably cause unexpected application behavior, typically a program crash.
Code examples
Vulnerable code example
1 #include <stdlib.h> 2 3 int *func_RET(unsigned n) 4 { 5 int aux; 6 int *p; 7 if (n == 1) { 8 p = &aux; 9 } else { 10 p = (int *)malloc(n * sizeof(int)); 11 } 12 return p; 13 }
Insight flags line 12, indicating that function func_RET returns the address of a local variable through the return statement. The address of local variable aux can be assigned to variable 'p', which is returned.
Related checkers
Security Guidelines
- CWE-562: Return of Stack Variable Address
- DCL30-C:Declare objects with appropriate storage durations