Andreas Veithen commented on AXIS2-5863:

That's because I didn't apply your patch. Instead I implemented a different 
solution, namely I changed the code so that _messageContext can't be null in 
the first place (by simply creating the MessageContext instance earlier). That 
indeed means that the piece of code you posted in the bug description remains 
unchanged. Note that similar code is produced in multiple locations in the 
template. I may have missed one instance. If that's the case, let me know.

> Possible null dereference in ServiceStub class
> ----------------------------------------------
>                 Key: AXIS2-5863
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5863
>             Project: Axis2
>          Issue Type: Bug
>          Components: codegen
>    Affects Versions: 1.7.5
>            Reporter: Petr Dvorak
>            Priority: Minor
>              Labels: security
>             Fix For: 1.7.6
>         Attachments: diff.patch
> We use Coverity Scan tool to audit our open-source code against security 
> vulnerabilities. Possible NullPointerException was detected in Axis2 
> generated ServiceStub class code. The issue occurs in following generated 
> code:
> {code:java}
> } finally {
>     if (_messageContext.getTransportOut() != null) {
>         _messageContext.getTransportOut().getSender()
>         .cleanup(_messageContext);
>     }
> }
> {code}
> In case "_messageContext" is set to null, the if condition throws NPE. Also, 
> we can see the path on how this variable value actually may become null, so 
> we believe the issue is valid and null check should be present...
> Here are possible implications of the issue from the security perspective:
> http://cwe.mitre.org/data/definitions/476.html

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to