JDK-8046694 : AbstractSaslImpl.traceOutput() throws an NPE when the 'output' parameter is NULL
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u45
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: linux
  • CPU: x86_64
  • Submitted: 2014-06-09
  • Updated: 2014-06-16
  • Resolved: 2014-06-16
Related Reports
Duplicate :  
JDK-8019267 - NPE in AbstractSaslImpl when trace level >= FINER in KRB5
Description
FULL PRODUCT VERSION :
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux joey.ent.cloudera.com 2.6.32-431.11.2.el6.x86_64 #1 SMP Mon Mar 3 13:32:45 EST 2014 x86_64 x86_64 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
When javax.security.sasl.level is set to FINER or FINEST, then the SASL libraries use the com.sun.security.sasl.util.AbstractSaslImpl.traceOutput() function to log the buffers used in SASL negotiation.

If a response to a challenge is NULL, then this will result in an NPE when the output parameter's length field is accessed without checking if output is null first.

Example partial stack trace:

Caused by: java.lang.NullPointerException
	at com.sun.security.sasl.util.AbstractSaslImpl.traceOutput(AbstractSaslImpl.java:259)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:198)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set javax.security.sasl.level to FINER or FINEST in $JAVA_HOME/jre/lib/logging.properties and try and establish a SASL connection without a proper Kerberos session, then you'll get an NPE.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No NPE.

REPRODUCIBILITY :
This bug can be reproduced always.