[PATCH] JDK-8194630: Uninitialized initiator_address in native GSS

Valerie Peng valerie.peng at oracle.com
Wed Feb 21 18:16:27 UTC 2018


I have this on my to-do-list and will include this for the next release, 
JDK 11, whose release date is Nov this year.
Thanks,
Valerie

On 2/21/2018 8:39 AM, Jan Kalina wrote:
> I has prepared fix for bug related to using native GSS API.
> Uninitialized fields causes JVM crash or authentication failing.
>
> Bug consequences are more described in bugreport:
> https://bugs.openjdk.java.net/browse/JDK-8194630
> Reproducer is attached to bugreport too.
>
> Would anyone be interested in reviewing/sponsoring this change?
> It would be really great to get this into JDK 9 and above.
> (I am covered by Red Hat OCA.)
>
> Thanks for your response!
>
> PATCH:
> ----------------------------------------------
> diff --git a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c 
> b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c
> --- a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c
> +++ b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c
> @@ -169,6 +169,11 @@
>    // initialize addrtype in CB first
>    cb->initiator_addrtype = GSS_C_AF_NULLADDR;
>    cb->acceptor_addrtype = GSS_C_AF_NULLADDR;
> +  // addresses needs to be initialized to empty
> +  cb->initiator_address.length = 0;
> +  cb->initiator_address.value = NULL;
> +  cb->acceptor_address.length = 0;
> +  cb->acceptor_address.value = NULL;
>
>    /* set up initiator address */
>    jinetAddr = (*env)->CallObjectMethod(env, jcb,
> ----------------------------------------------
>



More information about the security-dev mailing list