On Wed, 20 Aug 2025 11:56:18 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> [webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip) >> NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP >> auth-int against Active Directory. >> >> When the exception is triggered, LDAP Connection will do "clean-up" >> operation and output stream get flushed and closed the context while >> GssKrb5Client is still wrapping the message and SaslOuput Stream is writing >> the content of the buffer; and at the time GSSContext is disposed and it is >> null. That's the reason to throw NPE. >> >> 1) Check if the context is null or not; then wrap the NPE. The change is >> done in GssKrb5Base.java >> >> No test file is attached for this MR since it needs Sasl LDAP server with >> security setup. Attached webrev for the reference. > > Since this fix in the security-libs area, I think the component and > subcomponent should be changed to security-libs/javax.security. > > Also, please add a "noreg-hard" label to the bug with a comment explaining > why it is too hard to write a regression test. I am the reporter of this bug in the mailing list. @seanjmullan, yes it is also present in JDK 8. confirmed myself on HP-UX where the JDK is provided by HPE. They have either cherry-picked the faulty commit or used an already updated tree. @weibxiao I do not fully understand this fix. It does not really fix the issue, does it? It converts one NPE into another. From my PoV the regression should be reverted and another, better fix should be employed. As @wangweij writes [here](https://mail.openjdk.org/pipermail/security-dev/2025-August/047531.html), let LDAP complete the `abandonRequest()` and then free resources. ------------- PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3209383391
