Possible Null Pointer Dereference in TimeStampRequest.java #1895
Description
What happened?
In file: TimeStampRequest.java, there is a potential case of null pointer dereference. In method validate(), there is a call to convert(), which returns null if parameter orig is null.
private Set convert(Set orig)
{
if (orig == null)
{
return orig; // Returns null if input is null
}
Set con = new HashSet(orig.size());
// Rest of the code ...
}
public void validate(
Set algorithms,
Set policies,
Set extensions)
throws TSPException
{
algorithms = convert(algorithms);
policies = convert(policies);
extensions = convert(extensions);
if (!algorithms.contains(this.getMessageImprintAlgOID()))
{
throw new TSPValidationException("request contains unknown algorithm", PKIFailureInfo.badAlg);
}
// Rest of the code...
}In the validate() method, this null return value is not checked before use:
if (!algorithms.contains(this.getMessageImprintAlgOID()))
{
throw new TSPValidationException("request contains unknown algorithm", PKIFailureInfo.badAlg);
}So, when algorithms.contains() is called, a NullPointerException will be thrown. This creates a reliability issue and could potentially be used to bypass validation checks.
So, a possible fix can be, to add a proper null-check before use, as it's already done for policies and extensions:
if (algorithms!=null && !algorithms.contains(this.getMessageImprintAlgOID()))
{
throw new TSPValidationException("request contains unknown algorithm", PKIFailureInfo.badAlg);
}Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.