Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
The prevalence of null pointer dereferencing bugs is so widespread that it is not uncommon to find errors in security contexts. For instance, Java Webstart applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. A {{NullPointerException}} was generated in some isolated cases when the application or applet attempted to establish an https connection with a server \[[SDN 082008|AA. Java References#SDN 08]\]. The failure to establish a secure https connection with the server caused a denial of service issue as clients were temporarily forced to use an insecure http channel for data exchange.

...

Wiki Markup
This noncompliant example shows a bug in Tomcat version 4.1.24 initially discovered by Reasoning \[[Reasoning 032003|AA. Java References#Reasoning 03]\]. The {{cardinality}} method was designed to return the number of occurrences of object {{obj}} in collection {{col}}. A valid use of the {{cardinality}} method  is to determine how many objects in the collection are {{null}}. However, because membership in the collection is checked with the expression {{obj.equals(elt)}}, a null pointer dereference is guaranteed whenever {{obj}} is {{null}}. Such ambiguity can also result from the short-circuit behavior of the conditional AND and OR operators (See [EXP07-J. Be aware of the short-circuit behavior of the conditional AND and OR operators]). 

...

Wiki Markup
Null pointer dereferences can happen in many path dependent ways. Because of the limitations of automatic detection tools, it is required to manually inspect code \[[Hovemeyer 072007|AA. Java References#Hovemeyer 07]\] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can also alleviate the problem to a certain extent by aiding automatic null pointer dereference detection.  

...

References

Wiki Markup
\[[API 062006|AA. Java References#API 06]\] [method doPrivileged()|http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]
\[[Reasoning 032003|AA. Java References#Reasoning 03]\] Defect ID 00-0001, Null Pointer Dereference
\[[SDN 082008|AA. Java References#SDN 08]\] [Bug ID 6514454|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454]
\[[Hovemeyer 072007|AA. Java References#Hovemeyer 07]\]
\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE ID 479|http://cwe.mitre.org/data/definitions/476.html]

...