...
This noncompliant code example shows an example where a direct pointer to a Java object is used with erroneous results.
| Code Block | ||
|---|---|---|
| ||
|
Compliant Solution
In this compliant solution ...
| Code Block | ||||
|---|---|---|---|---|
| ||||
Risk Assessment
If a direct pointer to a Java object is used then erroneous results may be obtained that could lead to the code crashing. This, in turn, could be used to mount a denial of service attack. In some circumstances, the direct pointer could become a "dangling pointer" which could result in sensitive information being leaked or malicious execution of arbitrary code.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level | |
|---|---|---|---|
JNI02-J | High | Probable | No |
No |
P6 |
L2 |
Automated Detection
Direct pointers to Java objects can be detected and replaced by indirect handles automatically.
...
Before Android version 4.0, "Ice Cream Sandwich", direct pointers to Java objects were used in native code. However, Ice Cream Sandwich introduced the use of indirect handles. This is to facilitate the introduction of a compacting garbage collector in the future. Such a garbage collector moves objects in memory so direct pointers to objects may no longer be valid after a compacting garbage collector has run. For more information on this see [Verify], section "Preventing JNI Issues" and [Hughes 2011].
Applicability
Android Version Applicability
Applies to Android API versions 14 (ICE_CREAM_SANDWICH) and above, with Native Development Kit (NDK) 7.
API Levels |
|---|
| 14 and above |
Bibliography
| JNISpec 2014 | Java Native Interface Specification |
| Verify | Preventing JNI Issues |
| Hughes 2011 | JNI Local Reference Changes in ICS |
...