Null pointer dereferencing occurs when a null
variable is treated as if it were a valid object reference and used without checking its state. This condition results in a NullPointerException
, and can also result in denial of service. Consequently, null pointers must never be dereferenced.
Noncompliant Code Example
This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning [[Reasoning 2003]]. The cardinality
method was designed to return the number of occurrences of object obj
in collection col
. One valid use of the cardinality
method is to determine how many objects in the collection are null
. However, because membership in the collection is checked using the expression obj.equals(elt)
, a null pointer dereference is guaranteed whenever obj
is null
and elt
is not null
.
public static int cardinality(Object obj, final Collection col) { int count = 0; Iterator it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || obj.equals(elt)) { // null pointer dereference count++; } } return count; }
Compliant Solution
This compliant solution eliminates the null
pointer dereference.
public static int cardinality(Object obj, final Collection col) { int count = 0; Iterator it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || (null != obj && obj.equals(elt))) { count++; } } return count; }
Explicit null checks as shown here an acceptable approach to eliminating null pointer dereferences.
Risk Assessment
Dereferencing a null
pointer can lead to a denial of service. In multithreaded programs, null pointer dereferences can violate cache coherency policies and can cause resource leaks.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP01-J |
low |
likely |
high |
P3 |
L3 |
Automated Detection
Null pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code [[Hovemeyer 2007]] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.
Related Vulnerabilities
Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a NullPointerException
[[SDN 2008]]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service. Clients were temporarily forced to use an insecure HTTP channel for data exchange.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8d261751-b1da-4339-acf2-b618282bf5a8"><ac:plain-text-body><![CDATA[ |
[ISO/IEC TR 24772:2010 |
http://www.aitcnet.org/isai/] |
Null Pointer Dereference [XYH] |
]]></ac:plain-text-body></ac:structured-macro> |
CWE-476. NULL pointer dereference |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="06098965-c7da-48bf-a54d-167b9a351bbf"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
[Method |
http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b8c8c43a-7666-452f-b7c4-0167e3c5e8dc"><ac:plain-text-body><![CDATA[ |
[[Hovemeyer 2007 |
AA. Bibliography#Hovemeyer 07]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e337e6cf-c991-437e-a046-a9b7586e3d2d"><ac:plain-text-body><![CDATA[ |
[[Reasoning 2003 |
AA. Bibliography#Reasoning 03]] |
Defect ID 00-0001 |
]]></ac:plain-text-body></ac:structured-macro> |
|
|
Null Pointer Dereference |
||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4735ac44-1e99-46b3-a04a-3b9700f02eac"><ac:plain-text-body><![CDATA[ |
[[SDN 2008 |
AA. Bibliography#SDN 08]] |
[Bug ID 6514454 |
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454] |
]]></ac:plain-text-body></ac:structured-macro> |
02. Expressions (EXP) EXP02-J. Use the two-argument Arrays.equals() method to compare the contents of arrays