On Thu, 2 Oct 2025 16:19:56 GMT, Weibing Xiao <[email protected]> wrote:
>> [webrev.zip](https://github.com/user-attachments/files/22605072/webrev.zip) >> NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against >> Active Directory. >> >> When the exception is triggered, LDAP Connection will do "clean-up" >> operation and output stream get flushed and closed the context while >> GssKrb5Client is still wrapping the message, and tried to send the abandoned >> info to the client at line >> https://github.com/openjdk/jdk/blob/master/src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java#L140. >> That's the reason to throw NPE. >> >> The change is going to close socket and output stream in LdapClient.java. It >> would allow SASL client code to send the abandoned request to client; then >> dispose GSS context. This will avoid NPE to thrown at line 140 of >> GssKrb5Base.java. >> >> No test file is attached for this MR since it needs Sasl LDAP server with >> security setup. Attached the updated webrev for the reference. > > Weibing Xiao has updated the pull request incrementally with one additional > commit since the last revision: > > update the code The proposed solution needs more explaining, and integrate properly with the connection lock. src/java.naming/share/classes/com/sun/jndi/ldap/LdapClient.java line 497: > 495: } catch (IOException ioEx) { > 496: //ignore the error; > 497: } Given that this is called after `conn.cleanup` and that `conn.cleanup` closes the socket if not null and set it to null after, can you explain in which circumstance this method would find a non-null `conn.sock`? Another issue is that this method attempts to modify the state of the connection without holding the connection lock. This is not good. ------------- Changes requested by dfuchs (Reviewer). PR Review: https://git.openjdk.org/jdk/pull/26566#pullrequestreview-3331775448 PR Review Comment: https://git.openjdk.org/jdk/pull/26566#discussion_r2426446665
