[security-dev 01564]: Re: Code review request: 6919610 KeyTabInputStream uses static field for per-instance value
Xuelei Fan
Xuelei.Fan at Sun.COM
Wed Jan 27 04:27:26 UTC 2010
Looks fine to me.
Xuelei
On 1/25/2010 1:07 PM, Max (Weijun) Wang wrote:
> Hi All
>
> Please take a review at --
>
> http://cr.openjdk.java.net/~weijun/6919610/webrev.00
>
> Bug description follows.
>
> Thanks
> Max
>
>
>> *Change Request ID*: 6919610
>>
>> *Synopsis*: KeyTabInputStream uses static field for per-instance value
>>
>> Product: java
>> Category: jgss
>> Subcategory: krb5plugin
>> Type: Defect
>> Priority: 3-Medium
>>
>> === *Description*
>> ============================================================
>> This is a bug in the internal sun.security.krb5.internal.ktab package.
>>
>> KrbTabInputStream#readEntry(length,kvno) reads length of bytes into a
>> KeyTabEntry. A variable "index" is used to store how many bytes are
>> left unread to determine if there are enough (or more) for this
>> entry. The variable should be per-read or at least per-instance
>> (since a KrbTabInputStream should be read sequentially and thus not
>> multi-thread enabled). However, it's per-class (static) now.
>>
>> This means when multiple threads are calling the method at the same
>> time (for example, both refreshing a keytab), the value might be
>> modified by another thread during the execution of the method. If it
>> goes bigger, a false skip() will be called, otherwise, it triggers a
>> keytab corruption error. Both lead to the keytab singleton object to
>> be null.
>>
>> *** (#1 of 1): 2010-01-25 04:36:30 GMT+00:00 weijun.wang at sun.com
>
More information about the security-dev
mailing list