-
Bug
-
Resolution: Unresolved
-
P3
-
8u401, 11.0.22, 11.0.22-oracle, 17.0.10, 17.0.10-oracle, 21.0.1
This only happened when "javax.security.sasl.qop" is set as "auth-int" or "auth-conf".
When the exception was triggered, LDAP will do "clean-up" operation and output stream got flushed and closed while GssKrb5Client is still wrapping the message and SaslOuput Stream to try write content of the buffer; and at the time GSSContext was disposed and it is null. That's the reason to throw NPE.
One of failure scenario is when receiving buffer in SaslInputStream is bigger than default value (threshold is 65536). This will trigger LDAP connection closure and output stream got closed;
Solution,
1) Using javax.security.sasl.maxbuffer to increase bugger size
2) Update Connection::cleanup not to close output stream
3) Check GSSContext nullability before wrapping the message in GssKrb5Base.java
3) Improve error message, current buffer oversize error message is not exposed to client code
Reference from OpenJDK mailing list https://mail.openjdk.org/pipermail/security-dev/2025-April/045603.html
When the exception was triggered, LDAP will do "clean-up" operation and output stream got flushed and closed while GssKrb5Client is still wrapping the message and SaslOuput Stream to try write content of the buffer; and at the time GSSContext was disposed and it is null. That's the reason to throw NPE.
One of failure scenario is when receiving buffer in SaslInputStream is bigger than default value (threshold is 65536). This will trigger LDAP connection closure and output stream got closed;
Solution,
1) Using javax.security.sasl.maxbuffer to increase bugger size
2) Update Connection::cleanup not to close output stream
3) Check GSSContext nullability before wrapping the message in GssKrb5Base.java
3) Improve error message, current buffer oversize error message is not exposed to client code
Reference from OpenJDK mailing list https://mail.openjdk.org/pipermail/security-dev/2025-April/045603.html
- caused by
-
-
- Closed
-