Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149169

SSLSocketInputRecord.decodeInputRecord buffer overflow

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P2 P2
    • 9
    • 9
    • security-libs
    • b112
    • Verified

      Bug reported at http://mail.openjdk.java.net/pipermail/security-dev/2016-February/013387.html
      ----------------------------------------------------------
      Hi,

      while supporting an app development team, I'm facing a tough TLS issue - maybe you experts have an idea.

      They try to open an HTTPS connection to the server URL https://nfe-homologacao.sefazrs.rs.gov.br:443/ws/NfeAutorizacao/NFeAutorizacao.asmx. This is a Web Service of some Brazilian financial authority. So, what I'm basically doing is this:

      --code snippet--
      URL url = new URL("https://nfe-homologacao.sefazrs.rs.gov.br:443/ws/NfeAutorizacao/NFeAutorizacao.asmx");
      HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
      con.setHostnameVerifier(new DefaultHostnameVerifier());

      // optional default is GET
      con.setRequestMethod("GET");

      System.out.println("Sending 'GET' request to URL: " + url);
      int responseCode = con.getResponseCode();
      System.out.println("Response Code: " + responseCode);
      --end code snippet-

      I expect it to return "403 - not authorized".

      The coding will work with JDK7. However, with JDK8, I get this type of exception:

      java.net.SocketException: Unrecognized Windows Sockets error: 0: recv failed
              at java.net.SocketInputStream.socketRead0(Native Method)
              at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
              at java.net.SocketInputStream.read(SocketInputStream.java:170)
              at java.net.SocketInputStream.read(SocketInputStream.java:141)
              at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
              at sun.security.ssl.InputRecord.read(InputRecord.java:503)
              at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
              at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
              at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
              at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
              at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
              at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
              at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:704)
              at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
              at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:675)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
              at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
              ...

      I can get it to work in JDK8 by forcing it to TLSv1 only, e.g. by setting property -Djdk.tls.client.protocols=TLSv1.

      For JDK9 I even get a different exception:
      javax.net.ssl.SSLException: java.nio.BufferOverflowException
              at sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
              at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1948)
              at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1900)
              at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1883)
              at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1809)
              at sun.security.ssl.AppInputStream.read(AppInputStream.java:173)
              at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
              at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
              at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
              at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:704)
              at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
              at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:675)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1534)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1439)
              at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:319)
              at com.sap.cl.HttpsURLConnectionTest.sendGETRequest(HttpsURLConnectionTest.java:42)
              at com.sap.cl.HttpsURLConnectionTest.main(HttpsURLConnectionTest.java:63)
      Caused by: java.nio.BufferOverflowException
              at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:206)
              at sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:226)
              at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:178)
              at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1012)
              at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:957)
              at sun.security.ssl.AppInputStream.read(AppInputStream.java:159)
              ... 12 more

      I've debugged a lot today and tried to get something out of the javax.net.debug output but I didn't get any further with this - probably due to my lack of understanding the details of TLS communication and its implementation. I know the server is using some legacy protocol but still I think it should work.

      Maybe someone has any helpful idea? Is it a bug? You can simply try to run my test code snippet and should see the issue immediately...

      Thanks
      Christoph

            clanger Christoph Langer
            xuelei Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: