CodeQL documentation
CodeQL resources

Poor error handling: catch of NullReferenceException

ID: cs/catch-nullreferenceexception
Kind: problem
Security severity: 
Severity: warning
Precision: very-high
Tags:
   - reliability
   - correctness
   - external/cwe/cwe-395
Query suites:
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

Catching NullReferenceException should not be used as an alternative to checks and assertions for preventing dereferencing a null pointer.

Recommendation

Check if the variable is null before dereferencing it.

Example

The following example class, findPerson returns null if the person is not found.

class CatchOfNullReferenceException
{
    public static Person findPerson(string name)
    {
        // ...
    }

    public static void Main(string[] args)
    {
        Console.WriteLine("Enter name of person:");
        Person p = findPerson(Console.ReadLine());
        try
        {
            Console.WriteLine("Person is {0:D} years old", p.getAge());
        }
        catch (NullReferenceException e)
        {
            Console.WriteLine("Person not found.");
        }
    }
}

The following example has been updated to ensure that any null return values are handled correctly.

class CatchOfNullReferenceExceptionFix
{
    public static Person findPerson(string name)
    {
        // ...
    }

    public static void Main(string[] args)
    {
        Console.WriteLine("Enter name of person:");
        Person p = findPerson(Console.ReadLine());
        if (p != null)
        {
            Console.WriteLine("Person is {0:D} years old", p.getAge());
        }
        else
        {
            Console.WriteLine("Person not found.");
        }
    }
}

References

  • Common Weakness Enumeration: CWE-395.

  • © GitHub, Inc.
  • Terms
  • Privacy