Null pointer dereferencing occurs when a null
variable is treated as if it were a valid object reference and used without checking its state. This condition results in a NullPointerException
, which could result in denial of service. Programs must not dereference null pointers.
Noncompliant Code Example
This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning [[Reasoning 2003]]. The cardinality
method was designed to return the number of occurrences of object obj
in collection col
. One valid use of the cardinality
method is to determine how many objects in the collection are null
. However, because membership in the collection is checked using the expression obj.equals(elt)
, a null pointer dereference is guaranteed whenever obj
is null
.
public static int cardinality(Object obj, final Collection col) { int count = 0; Iterator it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || obj.equals(elt)) { // null pointer dereference count++; } } return count; }
Compliant Solution
This compliant solution eliminates the null
pointer dereference.
public static int cardinality(Object obj, final Collection col) { int count = 0; Iterator it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || (null != obj && obj.equals(elt))) { count++; } } return count; }
Note that explicit null checks as shown here are one acceptable approach to eliminating null pointer dereferences;
Risk Assessment
Dereferencing a null
pointer can lead to a denial of service. For example, Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a NullPointerException
[[SDN 2008]]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service: clients were temporarily forced to use an insecure http channel for data exchange. In multithreaded programs, null pointer dereferences can violate cache coherency policies and can cause resource leaks.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP01-J |
low |
likely |
high |
P3 |
L3 |
Automated Detection
Null pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code [[Hovemeyer 2007]] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.
The Coverity Prevent Version 5.0 FORWARD_NULL checker can detect the instance where reference is checked against null but then dereferenced anyway.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d6df44a0-45b3-40bb-9c6f-1f124a85b53a"><ac:plain-text-body><![CDATA[ |
[ISO/IEC TR 24772:2010 |
http://www.aitcnet.org/isai/] |
"Null Pointer Dereference [XYH]" |
]]></ac:plain-text-body></ac:structured-macro> |
CWE ID 476, "NULL Pointer Dereference" |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="692a6b6e-ea54-4608-837a-db7152c0dff6"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
[method doPrivileged() |
http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="71fccad8-b766-437b-9d2e-9c637cb1c6a0"><ac:plain-text-body><![CDATA[ |
[[Hovemeyer 2007 |
AA. Bibliography#Hovemeyer 07]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d6b018d2-1f3e-48e3-885e-cc166ebae5de"><ac:plain-text-body><![CDATA[ |
[[Reasoning 2003 |
AA. Bibliography#Reasoning 03]] |
Defect ID 00-0001 |
]]></ac:plain-text-body></ac:structured-macro> |
|
|
Null Pointer Dereference |
||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cd080ce9-f823-43c7-aace-913e18ca5b5f"><ac:plain-text-body><![CDATA[ |
[[SDN 2008 |
AA. Bibliography#SDN 08]] |
[Bug ID 6514454 |
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454] |
]]></ac:plain-text-body></ac:structured-macro> |
EXP04-J. Ensure that autoboxed values have the intended type 02. Expressions (EXP) 03. Numeric Types and Operations (NUM)