Stig Rohde Døssing created STORM-3074:
-----------------------------------------

             Summary: Inconsistent null checking in SaslMessageToken
                 Key: STORM-3074
                 URL: https://issues.apache.org/jira/browse/STORM-3074
             Project: Apache Storm
          Issue Type: Bug
          Components: storm-client
    Affects Versions: 1.2.1, 1.0.6, 1.1.2, 2.0.0
            Reporter: Stig Rohde Døssing
            Assignee: Stig Rohde Døssing


The SaslMessageToken class will throw an NPE if buffer() is called and the 
payload is null. While the buffer method checks whether the token is null in a 
few places before dereferencing, the encodedLength method is called right off 
the bat, and it doesn't check for null.

The payload is always generated by either 
https://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslServer.html#evaluateResponse(byte[])
 or 
https://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslClient.html#evaluateChallenge(byte[]).
 The javadoc indicates that if these return null, authentication has succeeded 
and it is unnecessary to send any more messages to the other party.

I think if null SaslMessageToken payloads are never sent over the wire, we 
should remove all the null checking in SaslMessageToken and MessageDecoder, and 
ensure that the SASL handlers check for null before deciding to write tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to