RFR: 8362268 : NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory
Sean Mullan
mullan at openjdk.org
Wed Aug 20 11:58:38 UTC 2025
On Wed, 30 Jul 2025 20:20:33 GMT, Weibing Xiao <wxiao at openjdk.org> wrote:
> [webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip)
> NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory.
>
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message and SaslOuput Stream is writing the content of the buffer; and at the time GSSContext is disposed and it is null. That's the reason to throw NPE.
>
> 1) Check if the context is null or not; then wrap the NPE. The change is done in GssKrb5Base.java
>
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached webrev for the reference.
Since this fix in the security-libs area, I think the component and subcomponent should be changed to security-libs/javax.security.
Also, please add a "noreg-hard" label to the bug with a comment explaining why it is too hard to write a regression test.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3205967533
More information about the security-dev
mailing list