RFR: 8362268 : NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory [v4]
Weibing Xiao
wxiao at openjdk.org
Thu Oct 2 16:19:56 UTC 2025
> [webrev.zip](https://github.com/user-attachments/files/22605072/webrev.zip)
> NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory.
>
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message, and tried to send the abandoned info to the client at line https://github.com/openjdk/jdk/blob/master/src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java#L140. That's the reason to throw NPE.
>
> The change is going to close socket and output stream in LdapClient.java. It would allow SASL client code to send the abandoned request to client; then dispose GSS context. This will avoid NPE to thrown at line 140 of GssKrb5Base.java.
>
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached the updated webrev for the reference.
Weibing Xiao has updated the pull request incrementally with one additional commit since the last revision:
update the code
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/26566/files
- new: https://git.openjdk.org/jdk/pull/26566/files/dd21da3e..77b418d4
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=26566&range=03
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=26566&range=02-03
Stats: 35 lines in 3 files changed: 4 ins; 31 del; 0 mod
Patch: https://git.openjdk.org/jdk/pull/26566.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/26566/head:pull/26566
PR: https://git.openjdk.org/jdk/pull/26566
More information about the security-dev
mailing list