Ok, thanks Valerie! Sorry for spam, I has supposed my previous email was not considered to be patch.
Martin: As this is way how it is initialized in other places, I has not considered it. http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/59e88d3b9b17/src/share/native/sun/security/jgss/wrapper/GSSLibStub.c#l132 Follows fixed version - tested and works ok - keeping on Valerie which version will be used: --------------------------------------------- diff --git a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c --- a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c +++ b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c @@ -169,6 +169,9 @@ // initialize addrtype in CB first cb->initiator_addrtype = GSS_C_AF_NULLADDR; cb->acceptor_addrtype = GSS_C_AF_NULLADDR; + // addresses needs to be initialized to empty + memset(&cb->initiator_address, 0, sizeof(cb->initiator_address)); + memset(&cb->acceptor_address, 0, sizeof(cb->acceptor_address)); /* set up initiator address */ jinetAddr = (*env)->CallObjectMethod(env, jcb, --------------------------------------------- On Wed, Feb 21, 2018 at 7:26 PM, Martin Balao <mba...@redhat.com> wrote: > Have you considered zeroizing the whole "gss_channel_bindings_t" structure > with memset? So we don't have problem if new fields are eventually added. > > On Wed, Feb 21, 2018 at 1:39 PM, Jan Kalina <jkal...@redhat.com> wrote: > >> I has prepared fix for bug related to using native GSS API. >> Uninitialized fields causes JVM crash or authentication failing. >> >> Bug consequences are more described in bugreport: >> https://bugs.openjdk.java.net/browse/JDK-8194630 >> Reproducer is attached to bugreport too. >> >> Would anyone be interested in reviewing/sponsoring this change? >> It would be really great to get this into JDK 9 and above. >> (I am covered by Red Hat OCA.) >> >> Thanks for your response! >> >> PATCH: >> ---------------------------------------------- >> diff --git a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c >> b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c >> --- a/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c >> +++ b/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c >> @@ -169,6 +169,11 @@ >> // initialize addrtype in CB first >> cb->initiator_addrtype = GSS_C_AF_NULLADDR; >> cb->acceptor_addrtype = GSS_C_AF_NULLADDR; >> + // addresses needs to be initialized to empty >> + cb->initiator_address.length = 0; >> + cb->initiator_address.value = NULL; >> + cb->acceptor_address.length = 0; >> + cb->acceptor_address.value = NULL; >> >> /* set up initiator address */ >> jinetAddr = (*env)->CallObjectMethod(env, jcb, >> ---------------------------------------------- >> >> >