JDK-8256818 : SSLSocket that is never bound or connected leaks socket resources
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8u271,11.0.9-oracle,13,15,16
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2020-11-21
  • Updated: 2023-11-29
  • Resolved: 2020-12-02
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 16 JDK 8 Other
11.0.11-oracleFixed 16 b27Fixed 8u271Fixed openjdk8u302Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Relates :  
Description
There is a flaw in sun.security.ssl.SSLSocketImpl::close() which leads to leaking socket resources after JDK-8224829.

The close method calls duplexCloseOutput() and duplexCloseInput(). In case of an exception in any of these methods, the call to closeSocket() is bypassed, and the underlying Socket may not be closed.

This manifests in a real life leak after JDK-8224829 has introduced a call to getSoLinger() on the path of duplexCloseOutput -> closeNotify. If socket impl / OS socket hadn't been created yet it is done at that place. But then after duplexCloseOutput eventually fails with a SocketException since the socket wasn't connected, closing fails to call Socket::close().

This problem can be reproduced by this code:
		        SSLSocket sslSocket = (SSLSocket)SSLSocketFactory.getDefault().createSocket();
		        sslSocket.getSSLParameters();
		        sslSocket.close();

This is what happens when SSLContext.getDefault().getDefaultSSLParameters() is called, with close() being eventually called by the finalizer.
Comments
Fix Request (8u): Backport to 8u requested because it is a part of 8u291-oracle. Patch doesn't apply cleanly, review approval email: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-April/013695.html Note: there is already a Fix Request filed for this backport, it is added to the backport issue [1]. AFAIU the recent changes to the process (please correct me if I am wrong), Fix Request needs to be filed in the main issue, so adding it here. [1] https://bugs.openjdk.java.net/browse/JDK-8259013?focusedCommentId=14413647&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14413647
27-04-2021

Fix Request (11u): Backport to 11u requested because it is a part of 11.0.11-oracle. Patch doesn't apply cleanly, review approval email: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-December/004508.html
29-12-2020

Changeset: 93b6ab56 Author: Christoph Langer <clanger@openjdk.org> Date: 2020-12-02 19:23:26 +0000 URL: https://git.openjdk.java.net/jdk/commit/93b6ab56
02-12-2020

Fix proposal: https://github.com/openjdk/jdk/pull/1363
21-11-2020