[Bug] NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory

Osipov, Michael (IN IT IN) michael.osipov at innomotics.com
Tue Apr 29 08:54:31 UTC 2025


On 2025-04-28 10:22, Osipov, Michael (IN IT IN) wrote:
 > Hi folks,
 > Hi Max,
 >
 > please assess the following bug I have found in Java 11+, it does not 
exist
 > in Java 8. I have tried the following most versions on Azul Zulu/
 > OpenJDK: 8, 11, 17, 21, 24 on multiple platforms. Searched JBS as well,
 > nothing found.

I was able to debug this and find the cause.
It is a regression from 
https://github.com/openjdk/jdk11u/commit/bcac47f00ac6cf511ad7709fb9d39276ac27b049, 
introduced with https://bugs.openjdk.org/browse/JDK-8313657.
I can even reproduce this with the HPE JDK 8 for HP-UX, so I guess they 
have backported that broken fix.

Connection#flushAndCloseOutputStream() closes the SaslOutputStream() 
which disposes the GSS security context and sets it to null. After that 
Connection#abandonRequest(LdapRequest, Control[]) is invoked which still 
uses the SaslOutputStream:
 >             synchronized (this) {
 >                 outStream.write(ber.getBuf(), 0, ber.getDataLen());
 >                 outStream.flush();
 >             }

Andrew,

can you log a bug here?

Michael


More information about the security-dev mailing list