RFR: 8362268 : NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory
Weibing Xiao
wxiao at openjdk.org
Thu Aug 7 15:38:37 UTC 2025
[webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip)
NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory.
When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message and SaslOuput Stream is writing the content of the buffer; and at the time GSSContext is disposed and it is null. That's the reason to throw NPE.
1) Check if the context is null or not; then wrap the NPE. The change is done in GssKrb5Base.java
No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached webrev for the reference.
-------------
Commit messages:
- revert the code
- Merge branch 'master' of https://github.com/openjdk/jdk into JDK-8362268
- revert javax.security.sasl.maxbuffer
- Merge branch 'JDK-8362268' of https://github.com/weibxiao/jdk into JDK-8362268
- added missing file
- added missing file
- 8362268 : NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory
Changes: https://git.openjdk.org/jdk/pull/26566/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=26566&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8362268
Stats: 6 lines in 1 file changed: 6 ins; 0 del; 0 mod
Patch: https://git.openjdk.org/jdk/pull/26566.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/26566/head:pull/26566
PR: https://git.openjdk.org/jdk/pull/26566
More information about the security-dev
mailing list