RFR: 8362268 : NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory

Weijun Wang weijun at openjdk.org
Fri Aug 22 15:40:50 UTC 2025


On Wed, 30 Jul 2025 20:20:33 GMT, Weibing Xiao <wxiao at openjdk.org> wrote:

> [webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip)
> NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory.
> 
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message and SaslOuput Stream is writing the content of the buffer; and at the time GSSContext is disposed and it is null. That's the reason to throw NPE.
> 
> 1) Check if the context is null or not; then wrap the NPE. The change is done in GssKrb5Base.java
> 
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached webrev for the reference.

So, it seems we should NOT revert to the raw stream. We can either return earlier in `abandonRequest()` before the `write` call or the `write` should fail (which the current PR does). Of course, an exception with clear information is always better.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3214804483


More information about the security-dev mailing list