From owner-freebsd-java@FreeBSD.ORG Tue Mar 27 09:50:09 2007 Return-Path: X-Original-To: freebsd-java@hub.freebsd.org Delivered-To: freebsd-java@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 335C716A40E for ; Tue, 27 Mar 2007 09:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id EE5B913C489 for ; Tue, 27 Mar 2007 09:50:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2R9o8oW055352 for ; Tue, 27 Mar 2007 09:50:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2R9o8lY055351; Tue, 27 Mar 2007 09:50:08 GMT (envelope-from gnats) Resent-Date: Tue, 27 Mar 2007 09:50:08 GMT Resent-Message-Id: <200703270950.l2R9o8lY055351@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-java@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, jan grant Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7C22A16A535 for ; Tue, 27 Mar 2007 09:41:08 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id 6C86013C46C for ; Tue, 27 Mar 2007 09:41:08 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l2R9f81t091159 for ; Tue, 27 Mar 2007 09:41:08 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id l2R9a7Fe089835; Tue, 27 Mar 2007 09:36:07 GMT (envelope-from nobody) Message-Id: <200703270936.l2R9a7Fe089835@www.freebsd.org> Date: Tue, 27 Mar 2007 09:36:07 GMT From: jan grant To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: java/110913: Java krb5 client leaks UDP connections X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 09:50:09 -0000 >Number: 110913 >Category: java >Synopsis: Java krb5 client leaks UDP connections >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-java >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 27 09:50:08 GMT 2007 >Closed-Date: >Last-Modified: >Originator: jan grant >Release: Tracking STABLE >Organization: university of bristol >Environment: Irrelevant (it's a java security class bug) >Description: I'm trying to raise a bug with Sun about the sun.security.krb5 implementation; they're being recalcitrant (I keep on getting new hoops to jump through when actually examining the code in question would make the problem obvious in 10 minutes). The problem is a straightforward resource leak, as you can see if you look at this: http://java.sun.com/j2se/jrl_download.html in particular, at jdk_sec-1_5_0-src-scsl.zip You'll see that sun.security.krb5.internal.UDPClient has no close() method; and the UDPClient-using code path in sun.security.krb5.KrbKdcReq (which has a few other close-to-the-coalface errors) consequently leaks FDs (unlike the TCP path, which has a try/finally that closes the socket properly). We're seeing a krb5 client application (the Yale CAS SSO) keel over in no time due to FD exhaustion. A trivial fix (the non-whitespace part of the diff is 8 lines) sorts this out. I attach a patch against the tree from an expanded jdk_sec-1_5_0-src-scsl.zip that addresses this. Unsure about the status of the patch since the JCL license looks a little confusing, however, the fix is trivial. If this works for you, I'd appreciate it if you could punt this back upstream to sun (possibly ref. support case 37763365 ?) (I did email this patch privately to Greg but I've no indication that he received it. Note that the patch includes whitespace changes to SCSLed/JCLed code which is why I was reluctant to send it to freebsd-java@; without the whitespace the meat of the patch is 8 lines) >How-To-Repeat: We're seeing it by installing Yale/JASIG's CAS system and having it do krb5 authentication against our AD. Having said that, a simple test case is available if you want to look at this, but examining the code makes this utterly obvious. >Fix: Patch against the security classes supplied. Patch attached with submission follows: diff -r -u jgss1.5.0-src-orig/src/share/classes/sun/security/krb5/internal/UDPClient.java jgss1.5.0-src/src/share/classes/sun/security/krb5/internal/UDPClient.java --- jgss1.5.0-src-orig/src/share/classes/sun/security/krb5/internal/UDPClient.java 2004-09-21 00:05:08.000000000 +0100 +++ jgss1.5.0-src/src/share/classes/sun/security/krb5/internal/UDPClient.java 2007-01-09 20:06:53.742243561 +0000 @@ -85,4 +85,8 @@ return data; } + public void close() throws IOException { + dgSocket.close(); + } + } diff -r -u jgss1.5.0-src-orig/src/share/classes/sun/security/krb5/KrbKdcReq.java jgss1.5.0-src/src/share/classes/sun/security/krb5/KrbKdcReq.java --- jgss1.5.0-src-orig/src/share/classes/sun/security/krb5/KrbKdcReq.java 2004-09-21 00:05:08.000000000 +0100 +++ jgss1.5.0-src/src/share/classes/sun/security/krb5/KrbKdcReq.java 2007-01-09 20:13:13.977349280 +0000 @@ -256,37 +256,41 @@ // get the response for (int i=1; i <= DEFAULT_KDC_RETRY_LIMIT; i++) { UDPClient kdcClient = new UDPClient(kdc, port, timeout); + try { - if (DEBUG) { - System.out.println(">>> KDCCommunication: kdc=" + kdc - + (useTCP ? " TCP:":" UDP:") - + port + ", timeout=" - + timeout - + ",Attempt =" + i - + ", #bytes=" + obuf.length); - } - /* - * Send the data to the kdc. - */ + if (DEBUG) { + System.out.println(">>> KDCCommunication: kdc=" + kdc + + (useTCP ? " TCP:":" UDP:") + + port + ", timeout=" + + timeout + + ",Attempt =" + i + + ", #bytes=" + obuf.length); + } + /* + * Send the data to the kdc. + */ - kdcClient.send(obuf); + kdcClient.send(obuf); - /* - * And get a response. - */ - try { - ibuf = kdcClient.receive(); - break; - } catch (SocketTimeoutException se) { - if (DEBUG) { - System.out.println ("SocketTimeOutException with " + - "attempt: " + i); - } - if (i == DEFAULT_KDC_RETRY_LIMIT) { - ibuf = null; - throw se; - } - } + /* + * And get a response. + */ + try { + ibuf = kdcClient.receive(); + break; + } catch (SocketTimeoutException se) { + if (DEBUG) { + System.out.println ("SocketTimeOutException with " + + "attempt: " + i); + } + if (i == DEFAULT_KDC_RETRY_LIMIT) { + ibuf = null; + throw se; + } + } + } finally { + kdcClient.close(); + } } } return ibuf; >Release-Note: >Audit-Trail: >Unformatted: