Null pointer dereferencing occurs when a null
variable is treated as if it were a valid object reference and used without checking its state. This condition results in a NullPointerException
, which could result in denial of service. Programs must not dereference null pointers.
Noncompliant Code Example
This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning [[Reasoning 2003]]. The cardinality
method was designed to return the number of occurrences of object obj
in collection col
. One valid use of the cardinality
method is to determine how many objects in the collection are null
. However, because membership in the collection is checked using the expression obj.equals(elt)
, a null pointer dereference is guaranteed whenever obj
is null
and elt
is not null
.
public static int cardinality(Object obj, final Collection col) { int count = 0; Iterator it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || obj.equals(elt)) { // null pointer dereference count++; } } return count; }
Compliant Solution
This compliant solution eliminates the null
pointer dereference.
public static int cardinality(Object obj, final Collection col) { int count = 0; Iterator it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || (null != obj && obj.equals(elt))) { count++; } } return count; }
Note that explicit null checks as shown here are one acceptable approach to eliminating null pointer dereferences.
Risk Assessment
Dereferencing a null
pointer can lead to a denial of service. In multithreaded programs, null pointer dereferences can violate cache coherency policies and can cause resource leaks.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP01-J |
low |
likely |
high |
P3 |
L3 |
Automated Detection
Null pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code [[Hovemeyer 2007]] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.
The Coverity Prevent Version 5.0 FORWARD_NULL checker can detect the instance where reference is checked against null but then dereferenced anyway.
Related Vulnerabilities
Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a NullPointerException
[[SDN 2008]]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service: clients were temporarily forced to use an insecure http channel for data exchange.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4c6dba43-881e-4ce5-a239-ac3618dc9f28"><ac:plain-text-body><![CDATA[ |
[ISO/IEC TR 24772:2010 |
http://www.aitcnet.org/isai/] |
"Null Pointer Dereference [XYH]" |
]]></ac:plain-text-body></ac:structured-macro> |
CWE-476, "NULL Pointer Dereference" |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="938c4ee7-dd44-4ada-96e5-06ac44de5ed4"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
[method doPrivileged() |
http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="51c2c12b-7328-49da-a236-a3f1a5e2adf7"><ac:plain-text-body><![CDATA[ |
[[Hovemeyer 2007 |
AA. Bibliography#Hovemeyer 07]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="915f8509-76f1-4f40-aa8e-602998be9a97"><ac:plain-text-body><![CDATA[ |
[[Reasoning 2003 |
AA. Bibliography#Reasoning 03]] |
Defect ID 00-0001 |
]]></ac:plain-text-body></ac:structured-macro> |
|
|
Null Pointer Dereference |
||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="529c9eb0-364d-4165-8277-40a8c8f95134"><ac:plain-text-body><![CDATA[ |
[[SDN 2008 |
AA. Bibliography#SDN 08]] |
[Bug ID 6514454 |
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454] |
]]></ac:plain-text-body></ac:structured-macro> |
02. Expressions (EXP) EXP02-J. Use the two-argument Arrays.equals() method to compare the contents of arrays