zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3008) Potential NPE in SaslQuorumAuthLearner#authenticate and SaslQuorumAuthServer#authenticate
Date Fri, 27 Apr 2018 12:48:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16456319#comment-16456319
] 

ASF GitHub Bot commented on ZOOKEEPER-3008:
-------------------------------------------

Github user lujiefsi commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/496#discussion_r184676603
  
    --- Diff: src/java/main/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
---
    @@ -94,7 +94,10 @@ public void authenticate(Socket sock, String hostName) throws IOException
{
                         principalConfig,
                         QuorumAuth.QUORUM_SERVER_PROTOCOL_NAME,
                         QuorumAuth.QUORUM_SERVER_SASL_DIGEST, LOG, "QuorumLearner");
    -
    +            if (sc == null) {
    --- End diff --
    
    I will try unit test written by @brettKK ~~


> Potential NPE in SaslQuorumAuthLearner#authenticate and SaslQuorumAuthServer#authenticate
> -----------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3008
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3008
>             Project: ZooKeeper
>          Issue Type: Bug
>    Affects Versions: 3.6.0
>            Reporter: lujie
>            Priority: Major
>
> Inspired by ZK-3006 , I develop a simple static analysis tool to find other Potential
NPE like ZK-3006. This bug is found by this tool ,and I have carefully studied it.  But i
am a newbie at here so i may be wrong, hope someone could confirm it and help me improve
this tool.
> h2. Bug description:
> callee :SecurityUtils#createSaslClient will return null while encounter exception
> {code:java}
> // code placeholder
> catch (Exception e) {
>   LOG.error("Exception while trying to create SASL client", e);
>   return null;
> }
> {code}
> but its caller has no null check just like:
> {code:java}
> // code placeholder
> sc = SecurityUtils.createSaslClient();
> if (sc.hasInitialResponse()) {
>    responseToken = createSaslToken(new byte[0], sc, learnerLogin);
> }
> {code}
> I think we should add null check in caller while callee return null



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message