RFR: 8362268 : NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory

Sean Mullan mullan at openjdk.org
Wed Aug 20 11:53:02 UTC 2025


On Wed, 30 Jul 2025 20:20:33 GMT, Weibing Xiao <wxiao at openjdk.org> wrote:

> [webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip)
> NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory.
> 
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message and SaslOuput Stream is writing the content of the buffer; and at the time GSSContext is disposed and it is null. That's the reason to throw NPE.
> 
> 1) Check if the context is null or not; then wrap the NPE. The change is done in GssKrb5Base.java
> 
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached webrev for the reference.

The bug title says "Java 11+" but the affects version field also contains 8u401 - does it also affect 8u?

In general, I would avoid putting release versions in the title of the bug as the affects version field is the right place to add that info, so please remove "on Java 11+" from the title.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3205907413


More information about the security-dev mailing list