Fix NPE during public IP listing when a removed network or VPC ID is informed for associatenetworkid parameter

[erikbocks]

Description

When listing public IPs associated to a network, the database query only considers records that are not marked as removed. If the ID of an removed resource is informed, a null value is returned in the database query. If the caller is a User type account, during the access checks the code tries to access one of the value's properties, resulting in an NullPointerException.

A validation was added to this flow to prevent the property access when the resource is null, and the listing behavior was standardized. The same validation was added to handle removed VPCs, as the same behavior was presented for them.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

Behavior before the change

Behavior after the change

How Has This Been Tested?

First, I created an isolated network, informing a public IP address to be assigned as the network's source NAT. After that, the network was removed. Then, I authenticated with an User type account in CloudMonkey and called the listPublicIpAddresses API, informing the removed network's UUID as the associatednetworkid parameter. As expected, the exception was thrown.

Exception stack trace in Management Server's logs

2026-01-05 15:07:39,520 ERROR [c.c.a.ApiServer] (qtp1404565079-21:[ctx-8bd6ddc5, ctx-459e3280]) (logid:4b10ae2c) unhandled exception executing api command: [Ljava.lang.String;@1b1ed74b java.lang.NullPointerException: Cannot invoke "org.apache.cloudstack.acl.ControlledEntity.getDomainId()" because "entity" is null
	at com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:738)
	at com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:706)
	[...]
	at com.cloud.server.ManagementServerImpl.searchForIPAddresses(ManagementServerImpl.java:2651)

After applying the code with my changes to my local environment, the same steps were executed, and I validated that the behavior was fixed. The same steps were reproduced for removed VPCs.

The code was also compiled with tests on Maven.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.76%. Comparing base (4628385) to head (3e34da6).

Files with missing lines	Patch %	Lines
...in/java/com/cloud/server/ManagementServerImpl.java	0.00%	8 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12372      +/-   ##
============================================
- Coverage     17.76%   17.76%   -0.01%     
  Complexity    15861    15861              
============================================
  Files          5923     5923              
  Lines        530470   530474       +4     
  Branches      64823    64825       +2     
============================================
- Hits          94253    94251       -2     
- Misses       425673   425678       +5     
- Partials      10544    10545       +1     

Flag	Coverage Δ
uitests	3.57% <ø> (ø)
unittests	18.85% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[Copilot]

Pull request overview

This PR fixes a NullPointerException that occurs when listing public IP addresses with a removed network or VPC ID as a parameter. When a User account attempts to list IPs using a removed resource ID, the database query returns null, causing an NPE during access checks.

Key Changes

• Added null checks before accessing network and VPC objects when validating access permissions
• Search criteria parameters are now conditionally set only when the associated resource exists
• Added VpcVO import to support the VPC null check logic

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16258

[DaanHoogland]

@erikbocks , would this also apply to version 20 and 22? (not just main?)

[winterhazel]

@erikbocks as this is a bug fix, could you target 4.20?

[erikbocks]

@DaanHoogland @winterhazel, sure. The PR was re-targeted to the 4.20 branch.

[DaanHoogland]

clgtm

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The fix addresses the NPE on lines 2584-2598, but there's a similar vulnerability later in the same method. Lines 2614-2621 also retrieve the network using findById and directly access its properties (getDataCenterId() on line 2616 and getAccountId() on line 2621) without null checks. This code path is executed when listing free IP addresses (when isAllocatedOrReserved is false and vlanType is not DirectAttached). If a removed network ID is provided, this will still result in a NullPointerException.

The same null check pattern should be applied here to prevent this additional NPE scenario.

[Copilot]

The current fix silently ignores removed networks and VPCs by not adding them to the search criteria when they are null. However, this behavior is inconsistent with other parts of the codebase. For example, at lines 2507-2509 and 2514-2515, when an entity is not found (null), the code throws an InvalidParameterValueException with a descriptive error message.

Consider whether the API should throw an InvalidParameterValueException when a user explicitly provides an ID for a removed or non-existent network/VPC, rather than silently returning an empty result set. This would provide clearer feedback to API consumers about why their query is not returning expected results. The current behavior could be confusing - users might think there are simply no IPs associated with that network, when in reality the network itself doesn't exist or has been removed.

[Copilot]

The fix changes the behavior of the listPublicIpAddresses API when given a removed network or VPC ID. Consider adding test cases to verify this new behavior, specifically:

1. Test that no NullPointerException is thrown when a User account calls listPublicIpAddresses with a removed network ID
2. Test that no NullPointerException is thrown when a User account calls listPublicIpAddresses with a removed VPC ID
3. Test the expected return value when a removed entity ID is provided (currently returns empty list)

The existing tests in ManagementServerImplTest.java test the setParameters method but don't cover the access control check scenario that was causing the NPE.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16709

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15384)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 55372 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12372-t15384-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File