RFR: 8362268 : NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory [v5]

Weibing Xiao wxiao at openjdk.org
Wed Oct 15 17:34:55 UTC 2025 

> [webrev.zip](https://github.com/user-attachments/files/22605072/webrev.zip)
> NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory.
> 
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message, and tried to send the abandoned info to the client at line  https://github.com/openjdk/jdk/blob/master/src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java#L140. That's the reason to throw NPE.
> 
> The change is going to close socket and output stream in LdapClient.java. It would allow SASL client code to send the abandoned request to client; then dispose GSS context. This will avoid NPE to thrown at line 140 of GssKrb5Base.java.
> 
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached the updated webrev for the reference.

Weibing Xiao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 26 additional commits since the last revision:

 - update the code
 - Merge branch 'master' of github.com:openjdk/jdk into JDK-8362268
 - Merge branch 'master' into JDK-8362268
 - Merge branch 'master' of github.com:weibxiao/jdk
 - Merge branch 'openjdk:master' into master
 - Merge branch 'openjdk:master' into master
 - Merge branch 'master' of github.com:openjdk/jdk
 - Merge branch 'openjdk:master' into master
 - Merge branch 'master' of github.com:openjdk/jdk
 - Merge branch 'master' of github.com:openjdk/jdk
 - ... and 16 more: https://git.openjdk.org/jdk/compare/b031257e...4dd20668

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/26566/files
  - new: https://git.openjdk.org/jdk/pull/26566/files/77b418d4..4dd20668

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=26566&range=04
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=26566&range=03-04

  Stats: 271102 lines in 4269 files changed: 197659 ins; 48393 del; 25050 mod
  Patch: https://git.openjdk.org/jdk/pull/26566.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/26566/head:pull/26566

PR: https://git.openjdk.org/jdk/pull/26566

More information about the security-dev mailing list