cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sherif Mansour (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-6263) Static Code Analysis Results: Null Dereference
Date Tue, 29 Oct 2013 13:02:31 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-6263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13807946#comment-13807946
] 

Sherif Mansour commented on CASSANDRA-6263:
-------------------------------------------

sure no problem :-)
Additionally is there a responsible disclosure process when people find an exploitable issue?

> Static Code Analysis Results: Null Dereference
> ----------------------------------------------
>
>                 Key: CASSANDRA-6263
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-6263
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>            Reporter: Sherif Mansour
>            Priority: Minor
>              Labels: Security
>
> I would like to contribute to Cassandra community by raising bugs for code quality issues.
> The first bug type I am raising for is Null Dereference
>  Additionally I can raise bugs for security issues however I cannot find the responsible
disclosure process for the Cassandra team, these issues would need to be private for obvious
reasons.
> The issues
> 01) The method deleteStatement() in CqlParser.java can crash the program by dereferencing
a null pointer on line 2034.
> 02) The method columnOperation() in CqlParser.java can crash the program by dereferencing
a null pointer on line 6338.
> 03) The method isSatisfiedBy() in ExtendedFilter.java can crash the program by dereferencing
a null pointer on line 316.
> 04) The method run() in IndexedRangeSlicer.java can crash the program by dereferencing
a null pointer on line 101.
> 05) The method scrub() in Scrubber.java can crash the program by dereferencing a null
pointer on line 169.
> 06) The method processColumnFamily() in SelectStatement.java can crash the program by
dereferencing a null pointer on line 901.
> 07) The method accept() in SSTableLoader.java can crash the program by dereferencing
a null pointer on line 81.
> 08) The method buildSummary() in SSTableReader.java can crash the program by dereferencing
a null pointer on line 469.
> 09) The method buildSummary() in SSTableReader.java can crash the program by dereferencing
a null pointer on line 476.
> 10) The method fetchRows() in StorageProxy.java can crash the program by dereferencing
a null pointer on line 1280.
> 11) The method fetchRows() in StorageProxy.java can crash the program by dereferencing
a null pointer on line 1297.
> 12) The method groupSuperColumns() in SuperColumns.java can crash the program by dereferencing
a null pointer on line 99.
> Recommendations:
> Implement careful checks before dereferencing objects that might be null. When possible,
abstract null checks into wrappers around code that manipulates resources to ensure that they
are applied in all cases and to minimize the places where mistakes can occur.
> PLEASE NOTE: These issues do require manual verification as some might be false positives.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message