ABSTRACT

Returning the address of a stack variable will cause unintended program behavior, typically in the form of a crash.

EXPLANATION

Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced. The problem can be hard to debug because the cause of the problem is often far removed from the symptom.

Example 1: The following function returns a stack address.


char* getName() {
char name[STR_MAX];
fillInName(name);
return name;
}

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 562

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9