You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 89 Next »

Null pointer dereferencing occurs when a variable bound to the null value is treated as if it were a valid object reference and used without checking its state. This condition results in a NullPointerException, which can in turn result in a denial of service. The denial of service is caused by the exception interrupting the program or thread, and probably causing it to terminate. Termination is likely because catching NullPointerException is forbidden by ERR08-J. Do not catch NullPointerException or any of its ancestors. Consequently, code must never dereference null pointers.

Noncompliant Code Example

This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning [[Reasoning 2003]]. The cardinality method was designed to return the number of occurrences of object obj in collection col. One valid use of the cardinality method is to determine how many objects in the collection are null. However, because membership in the collection is checked using the expression obj.equals(elt), a null pointer dereference is guaranteed whenever obj is null and elt is not null.

public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  if (col == null) {
    return count;
  }
  Iterator it = col.iterator();
  while (it.hasNext()) {
    Object elt = it.next();
    if ((null == obj && null == elt) || obj.equals(elt)) {  // null pointer dereference
      count++;
    }
  }
  return count;
}

Compliant Solution

This compliant solution eliminates the null pointer dereference.

public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  if (col == null) {
    return count;
  }
  Iterator it = col.iterator();
  while (it.hasNext()) {
    Object elt = it.next();
    if ((null == obj && null == elt) ||
        (null != obj && obj.equals(elt))) {
      count++;
    }
  }
  return count;
}

Explicit null checks as shown here an acceptable approach to eliminating null pointer dereferences.

Noncompliant Code Example

This noncompliant code example defines an isName() method that takes a String argument and returns true if the given string is a valid name. A valid name is defined as two capitalized words separated by one or more spaces.

public boolean isName(String s) {
  String names[] = s.split(" ");
  if (names.length != 2) {
    return false;
  }
  return (isCapitalized(names[0]) && isCapitalized(names[1]));
}

Method isName() is noncompliant because a null argument results in isName() dereferencing a null pointer.

Compliant Solution

This compliant solution demonstrates that the context in which code appears can impact its compliance. This example includes the same isName() method as the previous noncompliant example, but as part of a more general method that tests string arguments.

public class Foo {
  private boolean isName(String s) {
    String names[] = s.split(" ");
    if (names.length != 2) {
      return false;
    }
    return (isCapitalized(names[0]) && isCapitalized(names[1]));
  }

  public boolean testString(String s) {
    if (s == null) return false;
    else return isName(s);
  }
}

The isName() method is a private method with only one caller in its containing class. The calling method, testString(), guarantees that isName() is always called with a valid string reference. As a result, the class conforms with this rule, even though isName() in isolation does not. In general, guarantees of this sort can be used to eliminate null pointer dereferences.

Exceptions

EXP01-EX0: A method may dereference an object-typed parameter without guarantee that it is a valid object reference provided that the method documents that it (potentially) throws a NullPointerException, either via the throws clause of the method or in the method comments. However, this exception should be relied upon sparingly.

Risk Assessment

Dereferencing a null pointer can lead to a denial of service. In multithreaded programs, null pointer dereferences can violate cache coherency policies and can cause resource leaks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP01-J

low

likely

high

P3

L3

Automated Detection

Null pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code [[Hovemeyer 2007]] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.

Related Vulnerabilities

Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a NullPointerException [[SDN 2008]]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service. Clients were temporarily forced to use an insecure HTTP channel for data exchange.

Related Guidelines

CERT C Secure Coding Standard

EXP34-C. Do not dereference null pointers

CERT C++ Secure Coding Standard

EXP34-CPP. Ensure a null pointer is not dereferenced

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3ec123fc-0fa9-45ff-a989-ac289de402f8"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

Null Pointer Dereference [XYH]

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-476. NULL pointer dereference

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ccca7aae-1fe7-4f05-b2b9-ec077527a9b1"><ac:plain-text-body><![CDATA[

[[API 2006

AA. References#API 06]]

[Method doPrivileged()

http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9aa8d050-da62-4354-bc3e-a373e2d85daf"><ac:plain-text-body><![CDATA[

[[Hovemeyer 2007

AA. References#Hovemeyer 07]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8fc60ccc-39b2-4939-9065-1ec45c63aeae"><ac:plain-text-body><![CDATA[

[[Reasoning 2003

AA. References#Reasoning 03]]

Defect ID 00-0001

]]></ac:plain-text-body></ac:structured-macro>

 

Null Pointer Dereference

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="63e1d281-f33a-493b-851b-f86cfeef3554"><ac:plain-text-body><![CDATA[

[[SDN 2008

AA. References#SDN 08]]

[Bug ID 6514454

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454]

]]></ac:plain-text-body></ac:structured-macro>


      02. Expressions (EXP)      EXP02-J. Use the two-argument Arrays.equals() method to compare the contents of arrays

  • No labels