Have you considered zeroizing the whole "gss_channel_bindings_t" structure with memset? So we don't have problem if new fields are eventually added.
On Wed, Feb 21, 2018 at 1:39 PM, Jan Kalina <jkal...@redhat.com> wrote: > I has prepared fix for bug related to using native GSS API. > Uninitialized fields causes JVM crash or authentication failing. > > Bug consequences are more described in bugreport: > https://bugs.openjdk.java.net/browse/JDK-8194630 > Reproducer is attached to bugreport too. > > Would anyone be interested in reviewing/sponsoring this change? > It would be really great to get this into JDK 9 and above. > (I am covered by Red Hat OCA.) > > Thanks for your response! > > PATCH: > ---------------------------------------------- > diff --git a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c > b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c > --- a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c > +++ b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c > @@ -169,6 +169,11 @@ > // initialize addrtype in CB first > cb->initiator_addrtype = GSS_C_AF_NULLADDR; > cb->acceptor_addrtype = GSS_C_AF_NULLADDR; > + // addresses needs to be initialized to empty > + cb->initiator_address.length = 0; > + cb->initiator_address.value = NULL; > + cb->acceptor_address.length = 0; > + cb->acceptor_address.value = NULL; > > /* set up initiator address */ > jinetAddr = (*env)->CallObjectMethod(env, jcb, > ---------------------------------------------- > >
