RFR [8043507]: javax.smartcardio.CardTerminals.list() fails on MacOSX

Ivan Gerasimov ivan.gerasimov at oracle.com
Thu May 22 07:25:12 UTC 2014


On 22.05.2014 3:13, Valerie (Yu-Ching) Peng wrote:
> Looks good.
>
Thank you Valerie!

> Have you looked for similar problems in the code? I wonder if this is 
> the only occurrence.
>
I've scanned through the rest of pcsc.c and found a few other places 
that can potentially have the same issue.
In all the places the variable is declared to be 64 bit integer, but the 
library function expects a pointer to 32 bit integer.
I didn't check whether the bugs can really be observed there, but think 
it's better to play safe and initialize variables to zero before passing 
a pointer to them to a library function.

Would you please take a look the updated webrev?

WEBREV: http://cr.openjdk.java.net/~igerasim/8043507/1/webrev/

Sincerely yours,
Ivan


> Thanks,
> Valerie
>
> On 05/20/14 04:00, Ivan Gerasimov wrote:
>> Hello!
>>
>> The function javax.smartcardio.CardTerminals.list() sometimes fails 
>> when called from an app running on MacOSX.
>> The problem is due to that CALL_SCardListReaders(_, _, _, &size) 
>> expects the size variable to be of size uint32_t on os x, but we 
>> provide a pointer to 64 bit int instead.
>> As a result, the higher bits may contain garbage upon return, and we 
>> try to allocate a too large block of memory.
>>
>> The simplest solution is to initialize 'size' to zero before the call.
>>
>> No new tests with the fix, as the exiting tests already demonstrate 
>> intermittent failures because of this bug.
>>
>> For example, I've seem how 
>> ./sun/security/smartcardio/TestDefault.java failed once on every few 
>> hundred runs.
>> With the fix this test doesn't fail even when running in a loop with 
>> thousands of iterations.
>>
>> Would you please review this simple fix?
>>
>> BUGURL: https://bugs.openjdk.java.net/browse/JDK-8043507
>> WEBREV: http://cr.openjdk.java.net/~igerasim/8043507/0/webrev/
>>
>> Sincerely yours,
>> Ivan
>
>
>




More information about the security-dev mailing list