Review request for 6432567: PIT : com/sun/jdi/BadHandshakeTest.java fails due to java.net.ConnectException

[Alan Bateman]

Andrew John Hughes wrote:
> :
> Isn't there some way to test for snprintf and use it on platforms that
> aren't broken?  It seems a bad idea to leave a potential security hole
> open for the sake of one legacy platform.  snprintf is part of C99
> according to its manpage, so it should be available on all compilers
> that implement this standard.
>
> This is one reason why it would be better if OpenJDK used autoconf; it
> has a test for this exact issue, but sadly that needs to be run prior
> to the build.
>   
Windows is indeed a pain. If this were library code then we could use 
jio_snprintf but this is a debugger transport library that shouldn't 
need to be linked to the VM. As I said, we could put in platform 
dependent code for this - it's not hard, just didn't seem to be worth it 
for this one case. You are right, that if someone were to increase the 
message without resizing the buffer then we'd have the buffer overflow 
issue back again. So if folks feel strongly about this, then I can do 
this so that we are using snprintf/equivalent. Alternatively, we simply 
change this to return a generic message (like "handshake failed - the 
peer is not a debugger") and skip printing the bytes received from the 
unrecognized peer.

Moving to an autoconf build is a significant project - that something 
for build-dev.

-Alan.