[security-dev 00010]: BUG: krb5 client leaks UDP, causes failure under load.

Jan Grant jan.grant at bristol.ac.uk
Wed Aug 1 03:03:57 PDT 2007

I've tried to raise this in the past; the opening of the relevant bits 
of the JDK have encouraged me to try again.

sun.security.krb5.internal.UDPClient has no close() method; and the 
UDPClient-using code path in sun.security.krb5.KrbKdcReq (which has a 
few other close-to-the-coalface errors) consequently leaks FDs (unlike 
the TCP path, which has a try/finally that closes the socket properly).

We're seeing a krb5 client application (the Yale CAS SSO) keel over in 
no time due to FD exhaustion. A trivial fix (the non-whitespace part of 
the diff is 8 lines) sorts this out.

I've tried to report this in the past without much luck: engineers were 
initially very responsive then it got picked up and kind of fell flat. 
Whilst I'm chasing the beauracracy here to get a release signed, I think 
the patch itself is so trivial it probably doesn't warrant much concern.

Full report is stashed here:


including a patch against the contents of jdk_sec-1_5_0-src-scsl.zip; 
this affects all platforms.

A unit test is hard to do; however if you look at support case 37763365 
you should find a small piece of code (and associated typescipt) that 
demonstrates the krb5 client slowly using up UDP sockets.

Eventually the GC will kick in and reclaim these; however, (1) relying 
on GC to manage any resource other than memory is a bug; (2) we're still 
seeing failures before GC has a chance to work.

Let me know what I can do to progress this; according to various reports 
this fault has been around for a long time. It'd be good to knock it on 
the head.


jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661   http://ioctl.org/jan/
I am now available for general use under a modified BSD licence.

More information about the security-dev mailing list