JDK-7095856 : OutputStreamHook doesn't handle null values
  • Type: Bug
  • Component: other-libs
  • Sub-Component: corba:rmi-iiop
  • Affected Version: 1.4.2_05,8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2011-09-28
  • Updated: 2016-08-26
  • Resolved: 2014-07-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u76Fixed 8u40Fixed 9 b22Fixed
Related Reports
Duplicate :  
JDK-8047221 - NPE in com.sun.corba.se.impl.io.OutputStreamHook$HookPutFields.put
Duplicate :  
JDK-5104197 - NullPointerException when sending java.security.Permissions through SUN IIOP
Relates :  
JDK-5104197 - NullPointerException when sending java.security.Permissions through SUN IIOP
Description
FULL PRODUCT VERSION :
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-b04)
Java HotSpot(TM) Client VM (build 1.4.2_05-b04, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
BEA WebLogic has a protocol called thin client which makes use of SUN's IIOP implementation in JDK. If a component tries to send a java.security.Permissions object with the a null "allPermission" member field through SUN's IIOP implementation, it throws the NullPointerException:

java.lang.NullPointerException
        at java.util.Hashtable.put(Hashtable.java:393)
        at com.sun.corba.se.internal.io.OutputStreamHook$HookPutFields.put(Outpu
tStreamHook.java:97)
        at java.security.Permissions.writeObject(Permissions.java:359)
        at com.sun.corba.se.internal.io.IIOPOutputStream.writeObject(Native Meth
od)
        at com.sun.corba.se.internal.io.IIOPOutputStream.invokeObjectWriter(IIOP
OutputStream.java:560)
        at com.sun.corba.se.internal.io.IIOPOutputStream.outputObject(IIOPOutput
Stream.java:523)
        at com.sun.corba.se.internal.io.IIOPOutputStream.simpleWriteObject(IIOPO
utputStream.java:123)
        at com.sun.corba.se.internal.io.ValueHandlerImpl.writeValueInternal(Valu
eHandlerImpl.java:136)
        at com.sun.corba.se.internal.io.ValueHandlerImpl.writeValue(ValueHandler
Impl.java:116)
        at weblogic.iiop.IIOPOutputStream.write_value(IIOPOutputStream.java:1636
)
        at weblogic.iiop.IIOPOutputStream.write_value(IIOPOutputStream.java:1667
)
        at weblogic.iiop.RMIMsgOutput.writeObject(RMIMsgOutput.java:105)
        at examples.ejb20.basic.statelessSession.statelessSession_mt9oui_EOImpl_
WLSkel.invoke(Unknown Source)
        at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:477)
        at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerR
ef.java:108)
        at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:420)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:363)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
144)
        at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
a:415)
        at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
.java:30)
        at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
        at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)

You only need to analyse the source code of these two classes to understand the problem:
java.security.Permissions
com.sun.corba.se.internal.io.OutputStreamHook

When Permissions.writeObject(ObjectOutputStreaM) is called, it tries to write the members by
        ObjectOutputStream.PutField pfields = out.putFields();
	pfields.put("allPermission", allPermission);
        pfields.put("perms", perms);
        out.writeFields();

The variable "pfields" is an instance of com.sun.corba.se.internal.io.OutputStreamHook$HookPutFields. pfields.put(String, Object) calls java.util.Hashtable.put(String, Object) with a null "allPermission" memeber but Hashtable.put(String, Object) throws NullPointerException according to JDK javadoc http://java.sun.com/j2se/1.4.2/docs/api/java/util/Hashtable.html#put(java.lang.Object,%20java.lang.Object)



REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
1) make sure the java.security.Permissions to send has a java.security.AllPermission member so the private member "allPermission" is not null. E.g. put a dummy AllPermission object
2) fall back to jdk 1.4.1_0x but 1.4.1 is already EOL.
(Incident Review ID: 311240) 
======================================================================
Comments
Release team: Approved for deferral to 9
22-10-2013
My understanding is that the JDK-7038843 changes resolves the issue for null stackTraces. This bug deals with another scenario where a null Permissions object is passed to the IIOP stream. i.e the putFields method in IIOP stream can't handle null values. No one has escalated this issue and while the fix looks simple, it's something the should be changed for jdk9 IMO.
21-10-2013
Are we sure that this issue exists in JDK 8? This issue came up during the end-game of 7 and a fix was put into java.lang.Throwable to address it (see JDK-7038843). An AI from that analysis was to fix the IIOP code and it would be useful to know if the AI is this bug or whether this is a separate NPE.
21-10-2013