[security-dev 00204]: NullPointerException at sun.security.ssl.OutputRecord.writeBuffer
Kanatoko
anvil at jumperz.net
Tue Jun 24 08:48:12 UTC 2008
Hello list
I found a bug. Please fix it.
Thanks in advance.
--
ERROR MESSAGES/STACK TRACES THAT OCCUR :
TRACE 307528: (thread=200004)
java.lang.Throwable.<init>(Throwable.java:197)
java.lang.Exception.<init>(Exception.java:46)
java.lang.RuntimeException.<init>(RuntimeException.java:49)
java.lang.NullPointerException.<init>(NullPointerException.java:53)
sun.security.ssl.OutputRecord.writeBuffer(OutputRecord.java:314)
sun.security.ssl.OutputRecord.write(OutputRecord.java:303)
sun.security.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:761)
sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:746)
sun.security.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:1722)
sun.security.ssl.SSLSocketImpl.warning(SSLSocketImpl.java:1571)
sun.security.ssl.SSLSocketImpl.closeInternal(SSLSocketImpl.java:1373)
sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:1312)
sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:249)
java.lang.ref.Finalizer.invokeFinalizeMethod(Finalizer.java:Unknown line)
java.lang.ref.Finalizer.runFinalizer(Finalizer.java:101)
java.lang.ref.Finalizer.access$100(Finalizer.java:32)
java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:178)
Type: bug
SDN ID:
status: Waiting
Category: jsse
Subcategory: runtime
Company: bitforest Co.,Ltd. ( in Japan )
release: 6
hardware: x86
OSversion: linux
priority: 4
Synopsis: SSLServerSocket file descriptor leak
Description:
FULL PRODUCT VERSION :
java version "1.6.0_10-beta"
Java(TM) SE Runtime Environment (build 1.6.0_10-beta-b25)
Java HotSpot(TM) 64-Bit Server VM (build 11.0-b12, mixed mode)
java version "1.6.0_02"
Java(TM) SE Runtime Environment (build 1.6.0_02-b05)
Java HotSpot(TM) Client VM (build 1.6.0_02-b05, mixed mode, sharing)
java version "1.6.0_04"
Java(TM) SE Runtime Environment (build 1.6.0_04-b12)
Java HotSpot(TM) 64-Bit Server VM (build 10.0-b19, mixed mode)
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_14-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux myserver1 2.6.22 #2 SMP Fri Jan 4 18:21:24 JST 2008 i686 i686 i386 GNU/Linux
Linux myserver2 2.6.22 #11 SMP Thu Feb 7 04:31:44 JST 2008 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
File descriptors of TCP sockets are not released properly when using SSLServerSocket class ( especially with many instances ) on Linux systems.
If a server application ( like Jakarta Tomcat ) runs very long time, this problem will cause a 'too many open files' error and a denial of the service.
Please note that we need to use 'lsof' command instead of 'netstat' command to see whether the file descriptor leak is happening or not.
Because the leaked sockets are not binded to any TCP addresses, we can not see the sockets using 'netstat' command.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Save the source code as 'test1.java'.
2. Compile with 'javac test1.java'.
3. Run with 'java -Djavax.net.ssl.keyStore=.keystore -Djavax.net.ssl.keyStorePassword=changeit test1'
(You need your own .keystore file and password ).
4. In another Linux shell, execute 'lsof' command.
'lsof -n -p PID_OF_JAVA_TEST1'
(PID_OF_JAVA_TEST1 is the process ID of out test case )
5. We will see many lines like below.
java 1919 root 884u sock 0,5 10398 can't identify protocol
java 1919 root 885u sock 0,5 10399 can't identify protocol
java 1919 root 886u sock 0,5 10418 can't identify protocol
java 1919 root 887u sock 0,5 10420 can't identify protocol
java 1919 root 888u sock 0,5 10422 can't identify protocol
java 1919 root 890u sock 0,5 10443 can't identify protocol
java 1919 root 891u sock 0,5 10444 can't identify protocol
java 1919 root 892u sock 0,5 10445 can't identify protocol
java 1919 root 893u sock 0,5 10446 can't identify protocol
java 1919 root 894u sock 0,5 10447 can't identify protocol
java 1919 root 895u sock 0,5 10448 can't identify protocol
These are the leaked file descriptors.
In addition,
6. We can also see the leaked file descriptors in '/proc/PID_OF_JAVA_TEST1/fd'
7. And in /proc/net/sockstat, these leaked file descriptors are counted as allocated TCP sockets.
For example: 'TCP: inuse 3 orphan 0 tw 0 alloc 663 mem 2'
When this java process ended, the number 'alloc 663' will be decreased.
8. If we repeat 'foo()' function more , we can see the 'too many open files 'error message.
Please change the line
for( int i = 0; i < 1000; ++i )
to
for( int i = 0; i < 2000; ++i )
and test again to see the error message.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
'lsof' command does not show too many lines of 'can't identify protocol' sockets.
ACTUAL -
Please see the 'Steps to Reproduce' field.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.net.*;
import javax.net.*;
import javax.net.ssl.*;
public class test1
{
private static ServerSocketFactory ssf;
//------------------------------------------------
public static void main( String[] args )
throws Exception
{
ssf = SSLServerSocketFactory.getDefault();
for( int i = 0; i < 1000; ++i )
{
foo();
}
Thread.sleep( 1000000 );
}
//------------------------------------------------
private static void foo()
throws Exception
{
ServerSocket sSocket = ssf.createServerSocket( 0, 1 );
Socket socket1 = new Socket( "127.0.0.1", sSocket.getLocalPort() );
Socket socket2 = sSocket.accept();
sSocket.close();
socket1.close();
socket2.close();
}
//------------------------------------------------
}
---------- END SOURCE ----------
--
Kanatoko<anvil at jumperz.net>
Open Source WebAppFirewall
http://guardian.jumperz.net/
More information about the security-dev
mailing list