DanielMiessler

A Null Pointer Dereference Primer

By Daniel Miessler
Updated: January 4, 2018 Created: January 3, 2018

Most of my technical primers are…well, technical. This one won’t be because the problem is confusion rather than complexity.

I’ve been in software security for over a decade, and nearly every tester or developer I’ve asked about this topic thinks Null Pointer Dereference Vulnerabilities mean one of two things:

  1. Someone tried to delete (dereference) a pointer while it pointed to NULL, or…
  2. Failure to clean up (dereference) NULL pointers.

In both cases, the mistake is made because they think dereference means to delete something, which it does not. In programming parlance, dereferencing means getting the value for something—a.k.a., reading it.

In other words, a Null Pointer Dereference Vulnerability just means reading a NULL pointer.

That’s it.

It’s not about deleting references, or leaving references lying around, or cleaning up NULL pointers, or any of that stuff. Computers just hate trying to extract the value of things that don’t exist. And I can’t say I blame them.

Hope this helps someone.

Notes

  1. This is a fantastic explanation of pointers on Stack Overflow.
  2. Another interesting piece of trivia: Null Pointer Dereference and Null Pointer Exceptions (NPEs) are the same vulnerability with different names.
  3. Thanks to Jason Powell for talking through this, championing the cause, and reminding me that this primer still needed to be written.
Daniel Miessler
About The Author

Daniel Miessler is a cybersecurity expert and author of The Real Internet of Things, based in San Francisco, California. Specializing in RECON/OSINT, Application and IoT Security, and Security Program Design, he has 20 years of experience helping companies from early-stage startups to the Global 100. Daniel currently works at a leading tech company in the Bay Area, leads the OWASP Internet of Things Security Project, and can be found writing about the intersection of security, technology, and humans. He is also the creator and host of the Unsupervised Learning podcast and newsletter. ::
LEARN MORE ►   CONTACT THE AUTHOR 📧

Every Sunday I send my favorite stories about security, technology, and humans to around 35,000 people.

Related Content

Most Popular Content

Discuss on Twitter
Discuss on Reddit
Discuss on Hacker News
Contact the Author


X

I spend 5-20 hours a week devouring books, RSS feeds, podcasts, and articles about what's happening—and what's coming—in security and technology.

Then every Sunday I send the best of what I find to around 35,000 subscribers.

“Your newsletter has become my most important source of news. It is the only newsletter I will NOT delete until I have perused it to the very end”. ~ Frank Hall Green