You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by "Andreas Veithen (JIRA)" <ji...@apache.org> on 2017/08/08 20:06:00 UTC

[jira] [Commented] (AXIS2-5863) Possible null dereference in ServiceStub class

    [ https://issues.apache.org/jira/browse/AXIS2-5863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118944#comment-16118944 ] 

Andreas Veithen commented on AXIS2-5863:
----------------------------------------

That's because I didn't apply your patch. Instead I implemented a different solution, namely I changed the code so that _messageContext can't be null in the first place (by simply creating the MessageContext instance earlier). That indeed means that the piece of code you posted in the bug description remains unchanged. Note that similar code is produced in multiple locations in the template. I may have missed one instance. If that's the case, let me know.

> Possible null dereference in ServiceStub class
> ----------------------------------------------
>
>                 Key: AXIS2-5863
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5863
>             Project: Axis2
>          Issue Type: Bug
>          Components: codegen
>    Affects Versions: 1.7.5
>            Reporter: Petr Dvorak
>            Priority: Minor
>              Labels: security
>             Fix For: 1.7.6
>
>         Attachments: diff.patch
>
>
> We use Coverity Scan tool to audit our open-source code against security vulnerabilities. Possible NullPointerException was detected in Axis2 generated ServiceStub class code. The issue occurs in following generated code:
> {code:java}
> } finally {
>     if (_messageContext.getTransportOut() != null) {
>         _messageContext.getTransportOut().getSender()
>         .cleanup(_messageContext);
>     }
> }
> {code}
> In case "_messageContext" is set to null, the if condition throws NPE. Also, we can see the path on how this variable value actually may become null, so we believe the issue is valid and null check should be present...
> Here are possible implications of the issue from the security perspective:
> http://cwe.mitre.org/data/definitions/476.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org