-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8323562: SaslInputStream.read() may return wrong value #17365
Conversation
👋 Welcome back serb! A progress list of the required criteria for merging this PR into |
I'll wait until GA will be fixed. |
Just curious if this was found by inspection or when debugging some issue with LDAP authentication? Asking on whether it is feasible or not to have more tests in this area. |
/contributor add @shipilev |
@mrserb |
It was found by the code inspection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine. I think the common style is to use capitalized 0xFF
, but that one is not enforced consistently. This will do as well.
No need, that one is an easy target for static analyzers. This bug was found by one :) |
@mrserb This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 31 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
I think this one will require digging into whether the no-arg read is used in the authentication or not. It might not be, in which case it's not testable with something that emulates LDAPv3. However if it is used then we should have fuzzing or other tests to exercise it. I'm not saying it should be part of this PR but finding a 15+ year issue in authentication code is concerning so will need follow-up. |
@@ -78,7 +78,7 @@ public int read() throws IOException { | |||
byte[] inBuf = new byte[1]; | |||
int count = read(inBuf, 0, 1); | |||
if (count > 0) { | |||
return inBuf[0]; | |||
return inBuf[0] & 0xff; | |||
} else { | |||
return -1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a separate follow up, even this else block might need some review on whether count
can practically be 0 here and if so whether it's OK to return -1 (implying EOF) in such cases.
Digging into this, it seems this was looked at last year and the conclusion was this code is not used, but for some reason there wasn't a follow up JBS issue created at the time. |
AFAICT the no arg read() method is never called by the JNDI/LDAP stack. This explains why it never made any test fail. |
/integrate |
Going to push as commit 5cf7947.
Your commit was automatically rebased without conflicts. |
SaslInputStream.read() should return a value in the range from 0 to 255 per the spec of InputStream.read() but it returns the signed byte from the inBuf as is.
Progress
Issue
Reviewers
Contributors
<shade@openjdk.org>
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/17365/head:pull/17365
$ git checkout pull/17365
Update a local copy of the PR:
$ git checkout pull/17365
$ git pull https://git.openjdk.org/jdk.git pull/17365/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 17365
View PR using the GUI difftool:
$ git pr show -t 17365
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/17365.diff
Webrev
Link to Webrev Comment