RFR 8031111: fix krb5 caddr (and 8079821: MSOID2.java test is not perfect)

Valerie Peng valerie.peng at oracle.com
Wed Jun 3 18:31:40 UTC 2015 

> I don't think it's worth doing. Overflow at nt[pos-1] means the size 
> is bigger than 65535 (or 32767, unsigned? Not sure at the momemnt) 
> which is impossible for a SPNEGO token. Furthermore, if we really want 
> to worry about it, we will need to expand the length octets from 2 
> bytes to 3 bytes and it will be much more complicated.
Ok, just add some comment to state this then.
No further comments.
Thanks,
Valerie



On 6/1/2015 6:24 PM, Weijun Wang wrote:
>
>
> On 06/02/2015 04:36 AM, Valerie Peng wrote:
>>
>> Some nit/questions for 8031111 webrev:
>> In the test, why not use "noaddresses" since it's the one documented in
>> the krb5 conf page?
>
> I'll use noaddresses.
>
>> If "noaddresses" is true, then the extra_addresses has no effect, right?
>> I didn't see checking for the "noaddresses" in HostAddresses.java file.
>> Is that done somewhere else?
>
> The getLocalAddresses() method is only called in KrbAsReq as
>
>         if (addresses == null && cfg.useAddresses()) {
>             addresses = HostAddresses.getLocalAddresses();
>         }
>
> cfg.useAddress() checks the noaddresses setting.
>
>>
>> As for 8079821 webrev, do u need to check nt[pos-1] for overflow as well
>> when adding 1 to it?
>
> I don't think it's worth doing. Overflow at nt[pos-1] means the size 
> is bigger than 65535 (or 32767, unsigned? Not sure at the momemnt) 
> which is impossible for a SPNEGO token. Furthermore, if we really want 
> to worry about it, we will need to expand the length octets from 2 
> bytes to 3 bytes and it will be much more complicated.
>
> Thanks
> Max
>
>> Valerie
>>
>> On 5/8/2015 8:00 AM, Weijun Wang wrote:
>>> Hi Valerie
>>>
>>> Please review the code change at
>>>
>>>    http://cr.openjdk.java.net/~weijun/8031111/webrev.00/
>>>
>>> The codes to read local addresses are updated. We are also supporting
>>> the extra_addresses krb5.conf setting.
>>>
>>> This code change triggers a bug (MSOID2.java) in a test I've recently
>>> added, please also review the change at
>>>
>>>    http://cr.openjdk.java.net/~weijun/8079821/webrev.00/
>>>
>>> Thanks
>>> Max

More information about the security-dev mailing list