[security-dev 01556]: Code review request: 6919610 KeyTabInputStream uses static field for per-instance value
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Mon Jan 25 05:07:11 UTC 2010
Hi All
Please take a review at --
http://cr.openjdk.java.net/~weijun/6919610/webrev.00
Bug description follows.
Thanks
Max
> *Change Request ID*: 6919610
>
> *Synopsis*: KeyTabInputStream uses static field for per-instance value
>
> Product: java
> Category: jgss
> Subcategory: krb5plugin
> Type: Defect
> Priority: 3-Medium
>
> === *Description*
> ============================================================
> This is a bug in the internal sun.security.krb5.internal.ktab package.
>
> KrbTabInputStream#readEntry(length,kvno) reads length of bytes into
> a KeyTabEntry. A variable "index" is used to store how many bytes
> are left unread to determine if there are enough (or more) for this
> entry. The variable should be per-read or at least per-instance
> (since a KrbTabInputStream should be read sequentially and thus not
> multi-thread enabled). However, it's per-class (static) now.
>
> This means when multiple threads are calling the method at the same
> time (for example, both refreshing a keytab), the value might be
> modified by another thread during the execution of the method. If it
> goes bigger, a false skip() will be called, otherwise, it triggers a
> keytab corruption error. Both lead to the keytab singleton object to
> be null.
>
> *** (#1 of 1): 2010-01-25 04:36:30 GMT+00:00 weijun.wang at sun.com
More information about the security-dev
mailing list