Mentions légales du service

Skip to content

Null pointers should not be dereferenced

The following bug report has been received through the YesWeHack public bug bounty phase.

Acknowledgements: Vincent LOUIS - Linty Services

The following report refers to this code: https://gitlab.inria.fr/stopcovid19/robert-server/-/blob/08db030b079c481b4e68c785466a953403dcd4e4/robert-server-common/src/main/java/fr/gouv/stopc/robert/server/common/utils/ByteUtils.java#L44

A reference to null should never be dereferenced/accessed. Doing so will cause a NullPointerException to be thrown. At best, such an exception will cause abrupt program termination. At worst, it could expose debugging information that would be useful to an attacker, or it could allow an attacker to bypass security measures.

 public static byte[] addAll(byte[] a, byte[] b) {
        if (a == null) {
            byte[] copy = new byte[b.length]; // ANSSI comment: maybe check "b" here as well
            System.arraycopy(b, 0, copy, 0, b.length); 
            return copy;
        } else if (b == null) {
            byte[] copy = new byte[a.length]; 
            System.arraycopy(a, 0, copy, 0, a.length); 
        }

        byte[] res = new byte[a.length + b.length]; // A "NullPointerException" could be thrown; "b" is nullable here
        System.arraycopy(a, 0, res, 0, a.length);
        System.arraycopy(b, 0, res, a.length, b.length);
        return res;
    }

ANSSI comment:

A quick look at the same Utils file shows other helper functions might suffer from the same issue (bytesToLong, bytesToInt, convertEpoch24bitsToInt), depending on calling context / assumptions.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information