-
Bug
-
Resolution: Done
-
Major
-
7.1.0.DR8
Coverity static-analysis scan found 2 possible calls on null objects in SSLConfiguratorImpl.getDefaultSSLParameters() method.
Both calls are related to following line:
configure(original, supportedSSLParameters.getProtocols(), supportedSSLParameters.getCipherSuites());
https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5759887&defectInstanceId=1541383&mergedDefectId=1375370
The getCipherSuites() call can return null (javax.net.ssl.SSLParameters.getCipherSuites) which can propagate to CipherSuiteSelector.evaluate() call where supportedMechanisms.length is used without null check.
https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5759887&defectInstanceId=1541384&mergedDefectId=1375371
The getProtocols() call can return null (javax.net.ssl.SSLParameters.getProtocols) which can propagate to ProtocolSelector.evaluate() call where supportedProtocols is used in for loop without null check.
Suggested improvement
Add null checks.
- is cloned by
-
ELY-741 Coverity static analysis: Dereference null return value in SSLConfiguratorImpl (Elytron)
- Resolved