Null pointer dereferencing refers to treating a null
variable as if it were a valid object or field and proceeding to use it without checking its state. Typically, this condition results in a NullPointerException
which may lead to denial of service. While other runtime exceptions can produce similar effects, NullPointerException
is often found to be the most frequent show-stopper.
The prevalence of null pointer dereferencing bugs is so widespread that it is not uncommon to find errors in security contexts. For instance, Java Webstart applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. A NullPointerException
resulted in some isolated cases when the application or applet attempted to establish an https connection with the server [[SDN 08]]. This caused a denial of service issue as clients were temporarily left with no choice but to provide an insecure channel for data exchange.
Noncompliant Code Example
This noncompliant example shows a bug in Tomcat version 4.1.24 initially discovered by Reasoning [[Reasoning 03]]. The cardinality
method was designed to return the number of occurrences of object obj
in collection col
. A valid use case would be to determine how many objects in the collection are null
, given a null
object parameter. However, when coupled with the obj.equals(elt)
expression, this leads to a guaranteed null pointer dereference whenever obj
is null
. Such ambiguity can also result from the short-circuit behavior of the conditional AND and OR operators (See [EXP06-J. Be aware of the short-circuit behavior of the conditional AND and OR operators]).
public static int cardinality(Object obj, final Collection col) { int count = 0; Iterator it = col.iterator(); while(it.hasNext()) { Object elt = it.next(); if((null == obj && null == elt) || obj.equals(elt)) { // null pointer dereference count++; } } return count; }
Compliant Solution
The straightforward solution to this issue is to decouple the null checks from the expression that invokes a method on the variable obj
.
if (obj == null) { for(Iterator it = col.iterator();it.hasNext();) { // col is currently named coll if (it.next() == null) { count++; } } } else { for (Iterator it = col.iterator();it.hasNext();) { // col is currently named coll if (obj.equals(it.next())) { count++; } } }
Dereferences of null pointers can happen in many path dependent ways. Due to the limitations of automatic detection tools, code review and manual inspection of code are inevitable [[Hovemeyer 07]]. Annotations for method parameters that must be non-null can also alleviate the occurrences to a certain extent by aiding automatic detection.
Risk Assessment
Dereferencing a null pointer can lead to Denial of Service vulnerabilities. In multithreaded programs, this can violate cache coherency policies and lead to resource leaks.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP01- J |
low |
likely |
high |
P3 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[API 06]] method doPrivileged()
[[Reasoning 03]] Defect ID 00-0001, Null Pointer Dereference
[[SDN 08]] Bug ID 6514454
[[Hovemeyer 07]]
[[MITRE 09]] CWE ID 479
EXP00-J. Use the same type for the second and third operands in conditional expressions 03. Expressions (EXP) EXP02-J. Do not ignore values returned by methods