[PATCH] JDK-8194630: Uninitialized initiator_address in native GSS
Valerie Peng
valerie.peng at oracle.com
Wed Feb 21 18:16:27 UTC 2018
I have this on my to-do-list and will include this for the next release,
JDK 11, whose release date is Nov this year.
Thanks,
Valerie
On 2/21/2018 8:39 AM, Jan Kalina wrote:
> I has prepared fix for bug related to using native GSS API.
> Uninitialized fields causes JVM crash or authentication failing.
>
> Bug consequences are more described in bugreport:
> https://bugs.openjdk.java.net/browse/JDK-8194630
> Reproducer is attached to bugreport too.
>
> Would anyone be interested in reviewing/sponsoring this change?
> It would be really great to get this into JDK 9 and above.
> (I am covered by Red Hat OCA.)
>
> Thanks for your response!
>
> PATCH:
> ----------------------------------------------
> diff --git a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c
> b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c
> --- a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c
> +++ b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c
> @@ -169,6 +169,11 @@
> // initialize addrtype in CB first
> cb->initiator_addrtype = GSS_C_AF_NULLADDR;
> cb->acceptor_addrtype = GSS_C_AF_NULLADDR;
> + // addresses needs to be initialized to empty
> + cb->initiator_address.length = 0;
> + cb->initiator_address.value = NULL;
> + cb->acceptor_address.length = 0;
> + cb->acceptor_address.value = NULL;
>
> /* set up initiator address */
> jinetAddr = (*env)->CallObjectMethod(env, jcb,
> ----------------------------------------------
>
More information about the security-dev
mailing list