logo

Improper Handling of Missing Values

Draft Variant
Structure: Simple
Description

The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

Common Consequences 1
Scope: Integrity

Impact: Unexpected State
Demonstrative Examples 1

ID : DX-110

This Android application has registered to handle a URL when sent an intent:

Code Example:

Bad
Java


...*
IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");
MyReceiver receiver = new MyReceiver();
registerReceiver(receiver, filter);


java


java
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
  
Observed Examples 4
CVE-2002-0422Blank Host header triggers resultant infoleak.
CVE-2000-1006Blank "charset" attribute in MIME header triggers crash.
CVE-2004-1504Blank parameter causes external error infoleak.
CVE-2005-2053Blank parameter causes external error infoleak.
   
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Improper Handling of Values (CWE-229) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • The CERT Oracle Secure Coding Standard for Java (2011)
  
Notes 
Research GapSome "crash by port scan" bugs are probably due to this, but lack of diagnosis makes it difficult to be certain.