RFR: 8323562: SaslInputStream.read() may return wrong value
Daniel Fuchs
dfuchs at openjdk.org
Fri Jan 12 12:35:19 UTC 2024
On Fri, 12 Jan 2024 11:54:06 GMT, Alan Bateman <alanb at openjdk.org> wrote:
> I think this one will require digging into whether the no-arg read is used in the authentication or not. It might not be, in which case it's not testable with something that emulates LDAPv3. However if it is used then we should have fuzzing or other tests to exercise it. I'm not saying it should be part of this PR but finding a 15+ year issue in authentication code is concerning so will need follow-up.
AFAICT the no arg read() method is never called by the JNDI/LDAP stack. This explains why it never made any test fail.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/17365#issuecomment-1889065309
More information about the core-libs-dev
mailing list