RFR 8183591: Incorrect behavior when reading DER value with Integer.MAX_VALUE length
Adam Petcher
adam.petcher at oracle.com
Tue Jul 18 17:55:05 UTC 2017
Some additional investigation revealed that IOUtils.readFully() is only
used by DER, JKS, and Kerberos. None of these need the "read to the end
of the buffer" feature. This behavior of readFully() is confusing, so it
is probably best to remove it.
Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.01/
On 7/12/2017 2:38 PM, Adam Petcher wrote:
> This is a bug fix for a corner case in which a DER value has length
> equal to Integer.MAX_VALUE. The code uses IOUtils.readFully() to read
> the value, which interprets length=Integer.MAX_VALUE to mean "read to
> the end." The result is that no exception will be thrown when fewer
> then Integer.MAX_VALUE bytes are read from the stream. The fix adds a
> check after the readFully() to ensure that the expected number of
> bytes were read.
>
> Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.00/
> JBS: https://bugs.openjdk.java.net/browse/JDK-8183591
>
More information about the security-dev
mailing list