Fix NPE during public IP listing when a removed network or VPC ID is informed for associatenetworkid parameter

[erikbocks]

Description

When listing public IPs associated to a network, the database query only considers records that are not marked as removed. If the ID of an removed resource is informed, a null value is returned in the database query. If the caller is a User type account, during the access checks the code tries to access one of the value's properties, resulting in an NullPointerException.

A validation was added to this flow to prevent the property access when the resource is null, and the listing behavior was standardized. The same validation was added to handle removed VPCs, as the same behavior was presented for them.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

Behavior before the change

Behavior after the change

How Has This Been Tested?

First, I created an isolated network, informing a public IP address to be assigned as the network's source NAT. After that, the network was removed. Then, I authenticated with an User type account in CloudMonkey and called the listPublicIpAddresses API, informing the removed network's UUID as the associatednetworkid parameter. As expected, the exception was thrown.

Exception stack trace in Management Server's logs

2026-01-05 15:07:39,520 ERROR [c.c.a.ApiServer] (qtp1404565079-21:[ctx-8bd6ddc5, ctx-459e3280]) (logid:4b10ae2c) unhandled exception executing api command: [Ljava.lang.String;@1b1ed74b java.lang.NullPointerException: Cannot invoke "org.apache.cloudstack.acl.ControlledEntity.getDomainId()" because "entity" is null
	at com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:738)
	at com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:706)
	[...]
	at com.cloud.server.ManagementServerImpl.searchForIPAddresses(ManagementServerImpl.java:2651)

After applying the code with my changes to my local environment, the same steps were executed, and I validated that the behavior was fixed. The same steps were reproduced for removed VPCs.

The code was also compiled with tests on Maven.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.25%. Comparing base (9ae696d) to head (3363136).
⚠️ Report is 20 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...in/java/com/cloud/server/ManagementServerImpl.java	0.00%	15 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #12372      +/-   ##
============================================
- Coverage     16.26%   16.25%   -0.02%     
+ Complexity    13428    13420       -8     
============================================
  Files          5660     5662       +2     
  Lines        499963   500166     +203     
  Branches      60708    60733      +25     
============================================
- Hits          81330    81309      -21     
- Misses       409559   409771     +212     
- Partials       9074     9086      +12     

Flag	Coverage Δ
uitests	4.15% <ø> (-0.01%)	⬇️
unittests	17.11% <0.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[Copilot]

Pull request overview

This PR fixes a NullPointerException that occurs when listing public IP addresses with a removed network or VPC ID as a parameter. When a User account attempts to list IPs using a removed resource ID, the database query returns null, causing an NPE during access checks.

Key Changes

• Added null checks before accessing network and VPC objects when validating access permissions
• Search criteria parameters are now conditionally set only when the associated resource exists
• Added VpcVO import to support the VPC null check logic

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16258

[DaanHoogland]

@erikbocks , would this also apply to version 20 and 22? (not just main?)

[winterhazel]

@erikbocks as this is a bug fix, could you target 4.20?

[erikbocks]

@DaanHoogland @winterhazel, sure. The PR was re-targeted to the 4.20 branch.

[DaanHoogland]

clgtm

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The fix addresses the NPE on lines 2584-2598, but there's a similar vulnerability later in the same method. Lines 2614-2621 also retrieve the network using findById and directly access its properties (getDataCenterId() on line 2616 and getAccountId() on line 2621) without null checks. This code path is executed when listing free IP addresses (when isAllocatedOrReserved is false and vlanType is not DirectAttached). If a removed network ID is provided, this will still result in a NullPointerException.

The same null check pattern should be applied here to prevent this additional NPE scenario.

[Copilot]

The fix changes the behavior of the listPublicIpAddresses API when given a removed network or VPC ID. Consider adding test cases to verify this new behavior, specifically:

1. Test that no NullPointerException is thrown when a User account calls listPublicIpAddresses with a removed network ID
2. Test that no NullPointerException is thrown when a User account calls listPublicIpAddresses with a removed VPC ID
3. Test the expected return value when a removed entity ID is provided (currently returns empty list)

The existing tests in ManagementServerImplTest.java test the setParameters method but don't cover the access control check scenario that was causing the NPE.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16709

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15384)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 55372 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12372-t15384-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16841

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15480)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 51748 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12372-t15480-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[RosiKyu]

LGTM

#	Test Case	Method	Status
TC1	List public IPs with removed network ID as User - no NPE	CLI (cmk as User)	PASS
TC2	List public IPs with removed VPC ID as User - no NPE	CLI (cmk as User)	PASS
TC3	List public IPs normally - no regression	CLI (cmk as User)	PASS

Result: 3/3 PASS

Pre-fix behavior: listPublicIpAddresses with a removed network/VPC ID as a User account caused NullPointerException .
Post-fix behavior: Returns empty result gracefully. Zero NPEs in the management server log.

The null check fix correctly prevents the NPE when listing public IPs with removed network or VPC IDs. No regressions observed in normal listing flow.

Detailed Test Execution Report

TC1: List public IPs with removed network ID as User - no NPE

Objective Verify that calling listPublicIpAddresses with a removed (deleted) network ID as a User account does not cause a NullPointerException (HTTP 530), and instead returns an empty result.

Test Steps

1. As RootAdmin, create User account npetest
2. Create isolated network npe-test-net under npetest
3. Deploy VM to activate the network (triggers source NAT IP allocation)
4. Destroy VM with expunge, then delete the network
5. Register API keys for npetest, configure cmk profile
6. As npetest, call: list publicipaddresses associatednetworkid=cdd57d75-3c31-4249-b9ce-2b50d18cb928

Expected Result: Empty result returned gracefully - no HTTP 530 / NPE error.

Actual Result: Empty result returned. No error, no NPE.

Test Evidence:

(npetest) 🐱 > list publicipaddresses associatednetworkid=cdd57d75-3c31-4249-b9ce-2b50d18cb928
(npetest) 🐱 >

# No NPE in management server log:
[root@ref-trl-11136-k-Mol9-rositsa-kyuchukova-mgmt1 ~]# grep -i "NullPointerException" /var/log/cloudstack/management/management-server.log
[root@ref-trl-11136-k-Mol9-rositsa-kyuchukova-mgmt1 ~]#

---

TC2: List public IPs with removed VPC ID as User - no NPE

Objective Verify that calling listPublicIpAddresses with a removed (deleted) VPC ID as a User account does not cause a NullPointerException (HTTP 530), and instead returns an empty result.

Test Steps

1. Using same setup from TC1
2. VPC npe-test-vpc was created and then deleted
3. As npetest, call: list publicipaddresses vpcid=a8480239-ce4a-4b7f-aeb4-693cf85ff2b6

Expected Result: Empty result returned gracefully - no HTTP 530 / NPE error.

Actual Result: Empty result returned. No error, no NPE.

Test Evidence:

(npetest) 🐱 > list publicipaddresses vpcid=a8480239-ce4a-4b7f-aeb4-693cf85ff2b6
(npetest) 🐱 >

# No NPE in management server log:
[root@ref-trl-11136-k-Mol9-rositsa-kyuchukova-mgmt1 ~]# grep -i "NullPointerException" /var/log/cloudstack/management/management-server.log
[root@ref-trl-11136-k-Mol9-rositsa-kyuchukova-mgmt1 ~]#

---

TC3: List public IPs normally - no regression

Objective Verify that listPublicIpAddresses without parameters still works correctly after the fix.

Test Steps

1. As npetest, call: list publicipaddresses

Expected Result: Empty result (user has no remaining public IPs after network deletion) — no error.

Actual Result:
Empty result returned normally. No error.

Test Evidence:

(npetest) 🐱 > list publicipaddresses
(npetest) 🐱 >