Page History

Null pointer dereferencing bugs commonly appear in security contexts. For instance, Java Webstart applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. A {{NullPointerException}} was generated in some isolated cases when the application or applet attempted to establish an https connection with a server \[[SDN 2008|AA. Bibliography#SDN 08]\]. The failure to establish a secure https connection with the server caused a denial of service issue as: clients were temporarily forced to use an insecure http channel for data exchange.

This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning \[[Reasoning 2003|AA. Bibliography#Reasoning 03]\]. The {{cardinality}} method was designed to return the number of occurrences of object {{obj}} in collection {{col}}. A valid use of the {{cardinality}} method  is to determine how many objects in the collection are {{null}}. However, because membership in the collection is checked with the expression {{obj.equals(elt)}}, a null pointer dereference is guaranteed whenever {{obj}} is {{null}}. Such ambiguity can also result from the short-circuit behavior of the conditional AND and OR operators (See guideline [EXP07-J. Be aware of the short-circuit behavior of the conditional AND and OR operators].) 

\[[API 2006|AA. Bibliography#API 06]\] [method doPrivileged()|http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]
\[[Hovemeyer 2007|AA. Bibliography#Hovemeyer 07]\]
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 479|http://cwe.mitre.org/data/definitions/476.html]\[[Reasoning 2003|AA. Bibliography#Reasoning 03]\] Defect ID 00-0001, Null Pointer Dereference
\[[SDN 2008|AA. Bibliography#SDN 08]\] [Bug ID 6514454|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454]