JDK-8024861 : Incomplete token triggers GSS-API NullPointerException
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.security
  • Affected Version: 7u25
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux_redhat_5.0
  • Submitted: 2013-09-12
  • Updated: 2014-02-12
  • Resolved: 2013-09-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u60Fixed 8 b112Fixed
Description
FULL PRODUCT VERSION :
java version "1.7.0_25"
Java(TM) SE Runtime Environment (build 1.7.0_25-b15)
Java HotSpot(TM) Server VM (build 23.25-b01, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux hostname 2.6.18-164.el5PAE #1 SMP Tue Aug 18 15:59:11 EDT 2009 i686 i686 i386 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
When a SNPEGO negotiation token that doesn't contain a mechContext is passed to the standard GSSContext.acceptSecContext implementation, internally it fails to check for the field being non-null and dereferences it, causing a NPE that is propagated to the caller.

I believe that the null check was lost and the bug introduced in this refactoring:
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d08d77ad2d7b

REGRESSION.  Last worked in version 6u45

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Execute the provided test case and observe the thrown exception.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An instance of GSSException (the declared checked exception) should be thrown with an appropriate major error code.  Under Java 1.6.0_51, the same test case results in a GSSException with the message: "Defective token detected (Mechanism level: Invalid SPNEGO NegTokenInit token : SPNEGO NegoTokenInit : did not have the right context tag for mechToken)"
ACTUAL -
A NullPointerException is thrown.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.NullPointerException
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at Test.main(Test.java:17)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.xml.bind.DatatypeConverter;

import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;

public class Test {
    public static void main(String[] args) throws Exception {
        GSSCredential cred = null;
        GSSContext ctx = GSSManager.getInstance().createContext(cred);

        String token64 = "YGwGBisGAQUFAqBiMGCgDjAMBgorBgEEAYI3AgIKo04wT"
                + "KA7OzkEASUkNAQBBSSBLiSBKySBJCSBISSBHiSBGySBGCSBFSSBE"
                + "iSBDySBDCSBCSSBBiSBAwSBAAQCUUehDQQLUXVhbHlzR3VhcmQ=";

        byte[] token = DatatypeConverter.parseBase64Binary(token64);
        ctx.acceptSecContext(token, 0, token.length);
    }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Callers need to catch NullPointerException and re-wrap it as a GSSException, which could mask other problems.
Comments
sun/security/jgss/spnego/MechTokenMissing.java has passed since B112
23-10-2013