[jboss-jira] [JBoss JIRA] (ELY-743) Coverity static analysis: Dereference null return value in ServerAuthenticationContext (Elytron)

David Lloyd (JIRA) issues at jboss.org
Fri Nov 11 10:28:00 EST 2016 

    [ https://issues.jboss.org/browse/ELY-743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13321220#comment-13321220 ] 

David Lloyd commented on ELY-743:
---------------------------------

The {{getCredentialAcquireSupport()}} method should never return {{null}}; if it does, then an NPE seems like the correct behavior.  The only way I could see that happening though is if a RealmIdentity implementation is set up to return {{null}}.

But I do see that org.wildfly.security.auth.realm.ldap.LdapSecurityRealm.LdapRealmIdentity#getCredentialAcquireSupport() can return null, and that's definitely an error, which could lead to this NPE being triggered.

> Coverity static analysis: Dereference null return value in ServerAuthenticationContext (Elytron)
> ------------------------------------------------------------------------------------------------
>
>                 Key: ELY-743
>                 URL: https://issues.jboss.org/browse/ELY-743
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Josef Cacek
>            Assignee: Darran Lofthouse
>              Labels: static_analysis
>
> Coverity static-analysis scan found 3 possible calls on null objects in {{ServerAuthenticationContext}} class.
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760324&defectInstanceId=1541382&mergedDefectId=1369286
> In {​{ServerAuthenticationContext.AuthorizedState.​isSamePrincipal(Principal)}} - Return value of function which returns null is dereferenced without checking.
> {code}
> 2039    boolean isSamePrincipal(final Principal principal) {
>     
> // 1. returned_null: getName returns null (checked 9 out of 11 times). (The virtual call resolves to org.wildfly.security.auth.server.PrincipalDecoder.<clinit>/<gen>org.wildfly.security.auth.server.PrincipalDecoder_instance_2.getName.) [show details]
>     
> // 2. var_assigned: Assigning: name = null return value from getName.
> 2040        String name = authorizedIdentity.getSecurityDomain().getPrincipalDecoder().getName(principal);
>     
> // CID 1369286 (#1 of 1): Dereference null return value (NULL_RETURNS)3. dereference: Dereferencing a pointer that might be null name when calling isSameName. [show details]
> 2041        return isSameName(name);
> 2042    }
> {code}
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760324&defectInstanceId=1541377&mergedDefectId=1369289
> In {{ServerAuthenticationContext.NameAssignedState.​isSamePrincipal(Principal)}} - the same as the previous one.
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760324&defectInstanceId=1541378&mergedDefectId=1369304
> In {{​ServerAuthenticationContext.ANONYMOUS.​handleOne(​Callback[], int)}}
> {code}
> 790    final PasswordCallback passwordCallback = (PasswordCallback) callback;
> 791
>    
> // 8. returned_null: getCredentialAcquireSupport returns null (checked 0 out of 1 times). [show details]
>    
> // CID 1369304 (#1 of 1): Dereference null return value (NULL_RETURNS)9. null_method_call: Calling a method on null object getCredentialAcquireSupport(org.wildfly.security.credential.PasswordCredential.class).
> 792    if (getCredentialAcquireSupport(PasswordCredential.class).mayBeSupported()) {
> {code}
> *Suggested improvement*
> Add null checks.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list