LOCRET.RET

Function returns address of local variable in a return

The LOCRET.RET checker finds instances in which a function returns the address of a local variable through an expression in the return statement.

Vulnerability and risk

Local variables are allocated on the stack, so when a function returns a pointer to the variable, it's returning a stack address. The address will be invalidated after returning from the function, so access will probably cause unexpected application behavior, typically a program crash.

Vulnerable code example

1  #include <stdlib.h>
2  
3  int *func_RET(unsigned n)
4  {
5      int aux;
6      int *p;
7      if (n == 1) {
8          p = &aux;
9      } else {
10         p = (int *)malloc(n * sizeof(int));
11     }
12     return p;
13 }

Klocwork flags line 12, indicating that function func_RET returns the address of a local variable through the return statement. The address of local variable aux can be assigned to variable 'p', which is returned.

Related checkers

• LOCRET.ARG
• LOCRET.GLOB

External Guidance

• CWE-562: Return of Stack Variable Address
• DCL30-C:Declare objects with appropriate storage durations