You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 38 Next »

Null pointer dereferencing refers to treating a null variable as if it were a valid object or field and proceeding to use it without checking its state. This condition results in a NullPointerException, which could result in denial of service.

Null pointer dereferencing bugs commonly appear in security contexts. For instance, Java Webstart applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. A NullPointerException was generated in some isolated cases when the application or applet attempted to establish an https connection with a server [[SDN 2008]]. The failure to establish a secure https connection with the server caused a denial of service issue: clients were temporarily forced to use an insecure http channel for data exchange.

Noncompliant Code Example

This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning [[Reasoning 2003]]. The cardinality method was designed to return the number of occurrences of object obj in collection col. A valid use of the cardinality method is to determine how many objects in the collection are null. However, because membership in the collection is checked with the expression obj.equals(elt), a null pointer dereference is guaranteed whenever obj is null. Such ambiguity can also result from the short-circuit behavior of the conditional AND and OR operators (See guideline [EXP07-J. Be aware of the short-circuit behavior of the conditional AND and OR operators].)

public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  Iterator it = col.iterator();
  while(it.hasNext()) {
    Object elt = it.next();
    if((null == obj && null == elt) || obj.equals(elt)) {  // null pointer dereference
      count++;
    }
  }
  return count;
}

Compliant Solution

This compliant solution eliminates the null pointer dereference.

public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  Iterator it = col.iterator();
  while(it.hasNext()) {
    Object elt = it.next();
    if ((null == obj && null == elt) || 
        (null != obj && obj.equals(elt))) {
      count++;
    }
  }
  return count;
}

Null pointer dereferences can happen in many path dependent ways. Because of the limitations of automatic detection tools, it is required to manually inspect code [[Hovemeyer 2007]] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can also alleviate the problem to a certain extent by aiding automatic null pointer dereference detection.

Risk Assessment

Dereferencing a null pointer can lead to denial of service. In multithreaded programs, this can violate cache coherency policies and cause resource leaks.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

EXP12-J

low

likely

high

P3

L3

Automated Detection

The Coverity Prevent Version 5.0 FORWARD_NULL checker can detect the instance where reference is checked against null but then dereferenced anyway.

Related Vulnerabilities

GERONIMO-4467

Related Guidelines

MITRE CWE: CWE-479

Bibliography

[[API 2006]] method doPrivileged()
[[Hovemeyer 2007]]
[[Reasoning 2003]] Defect ID 00-0001, Null Pointer Dereference
[[SDN 2008]] Bug ID 6514454


EXP11-J. Be careful of autoboxing when removing elements from a Collection      04. Expressions (EXP)      EXP13-J. Consistently use the symbolic constants you define

  • No labels