CS.NRE.CHECK.CALL.MIGHT

An object reference value from a path where it is positively checked for null might be passed to a function that can dereference it without checking for null.

Vulnerability and risk

Dereferencing a null object reference is a critical runtime problem that will crash the application on some operating systems and throw a runtime exception on others.

Example 1

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  public class A {
    public void abc() {}
     public void foo(A a) {
      if (flag2)
        return;
      a.abc();
     }
  
    public A boo() {
     if (flag3)
       return new A();
     return null;
   }
 
    public void var() {
     A a = new A();
     if (a != null) {
       DoSomething();
     }
     if (flag) {
       foo(a);
     }
    }
    
    private void DoSomething() {}

    private bool flag;
    private bool flag2;
    private bool flag3;
 }

Klocwork produces an issue report (CS.NRE.CHECK.CALL.MIGHT) at line 21 for variable 'a'. Variable 'a' is compared with null value at line 17, and therefore may still be expected to be null if it is passed as argument 1 to function 'foo' at line 21, which may dereference it.

External guidance

CWE-476: NULL Pointer Dereference

Security training

Application security training materials provided by Secure Code Warrior.

Null Dereference Training Video - Test your skills with a training example