Null pointers should not be dereferenced
The following bug report has been received through the YesWeHack public bug bounty phase.
Acknowledgements: Vincent LOUIS - Linty Services
The following report refers to this code: https://gitlab.inria.fr/stopcovid19/robert-server/-/blob/08db030b079c481b4e68c785466a953403dcd4e4/robert-server-common/src/main/java/fr/gouv/stopc/robert/server/common/utils/ByteUtils.java#L44
A reference to null should never be dereferenced/accessed. Doing so will cause a NullPointerException to be thrown. At best, such an exception will cause abrupt program termination. At worst, it could expose debugging information that would be useful to an attacker, or it could allow an attacker to bypass security measures.
public static byte[] addAll(byte[] a, byte[] b) {
if (a == null) {
byte[] copy = new byte[b.length]; // ANSSI comment: maybe check "b" here as well
System.arraycopy(b, 0, copy, 0, b.length);
return copy;
} else if (b == null) {
byte[] copy = new byte[a.length];
System.arraycopy(a, 0, copy, 0, a.length);
}
byte[] res = new byte[a.length + b.length]; // A "NullPointerException" could be thrown; "b" is nullable here
System.arraycopy(a, 0, res, 0, a.length);
System.arraycopy(b, 0, res, a.length, b.length);
return res;
}
ANSSI comment:
A quick look at the same Utils file shows other helper functions might suffer from the same issue (bytesToLong
, bytesToInt
, convertEpoch24bitsToInt
), depending on calling context / assumptions.