View Source

Null pointer dereferencing occurs when a null variable is treated as if it were a valid object reference and used without checking its state. This condition results in a NullPointerException, and can also result in denial of service. Consequently, null pointers must never be dereferenced.

Noncompliant Code Example

This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning \[[Reasoning 2003|AA. Bibliography#Reasoning 03]\]. The {{cardinality}} method was designed to return the number of occurrences of object {{obj}} in collection {{col}}. One valid use of the {{cardinality}} method  is to determine how many objects in the collection are {{null}}. However, because membership in the collection is checked using the expression {{obj.equals(elt)}}, a null pointer dereference is guaranteed whenever {{obj}} is {{null}} and {{elt}} is not {{null}}.

public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  Iterator it = col.iterator();
  while (it.hasNext()) {
    Object elt = it.next();
    if ((null == obj && null == elt) || obj.equals(elt)) {  // null pointer dereference
      count++;
    }
  }
  return count;
}

Compliant Solution

This compliant solution eliminates the null pointer dereference.

public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  Iterator it = col.iterator();
  while (it.hasNext()) {
    Object elt = it.next();
    if ((null == obj && null == elt) || 
        (null != obj && obj.equals(elt))) {
      count++;
    }
  }
  return count;
}

Explicit null checks as shown here an acceptable approach to eliminating null pointer dereferences.

Risk Assessment

Dereferencing a null pointer can lead to a denial of service. In multithreaded programs, null pointer dereferences can violate cache coherency policies and can cause resource leaks.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
EXP01-J	low	likely	high	P3	L3

Automated Detection

Null pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code \[[Hovemeyer 2007|AA. Bibliography#Hovemeyer 07]\] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.

Related Vulnerabilities

Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a {{NullPointerException}} \[[SDN 2008|AA. Bibliography#SDN 08]\]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service. Clients were temporarily forced to use an insecure HTTP channel for data exchange.

Related Guidelines

CERT C Secure Coding Standard	EXP34-C. Do not dereference null pointers
CERT C++ Secure Coding Standard	EXP34-CPP. Ensure a null pointer is not dereferenced
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e2972ff8-ea3d-4e90-bf0f-9be71ac75404"><ac:plain-text-body><![CDATA[	[ISO/IEC TR 24772:2010	http://www.aitcnet.org/isai/]	Null Pointer Dereference [XYH]	]]></ac:plain-text-body></ac:structured-macro>
MITRE CWE	CWE-476. NULL pointer dereference

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="01859799-502f-4649-bfa1-2b21c56d2550"><ac:plain-text-body><![CDATA[	[[API 2006	AA. Bibliography#API 06]]	[Method `doPrivileged()`	http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="97220a51-e477-45ba-adb8-c8e50805f097"><ac:plain-text-body><![CDATA[	[[Hovemeyer 2007	AA. Bibliography#Hovemeyer 07]]		]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="60ad65c4-93ce-463b-bae8-70974ebdf0e9"><ac:plain-text-body><![CDATA[	[[Reasoning 2003	AA. Bibliography#Reasoning 03]]	Defect ID 00-0001	]]></ac:plain-text-body></ac:structured-macro>
	Null Pointer Dereference
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f756a918-2714-4420-8129-21f9910acb9f"><ac:plain-text-body><![CDATA[	[[SDN 2008	AA. Bibliography#SDN 08]]	[Bug ID 6514454	http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6514454]	]]></ac:plain-text-body></ac:structured-macro>

02. Expressions (EXP) EXP02-J. Use the two-argument Arrays.equals() method to compare the contents of arrays