Uploaded image for project: 'JBoss Remoting (3+)'
  1. JBoss Remoting (3+)
  2. REM3-344

ConnectionPeerIdentityContext Doesn't Clean Up authMap Entry if SaslClient is null, Which Leaks Memory

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • 5.0.14.Final
    • 5.0.15.Final
    • None
    • Hide

      I discovered this bug while doing remote ejbs from an EAP 7.2.3 web node to a cluster of backend nodes, and it appears to be exposed by a potential bug in upstream code, but since those reproduction steps are complicated and not immediately applicable to this project, we will just state the relevant bits:

      • Pass an AuthenticationConfiguration to the ConnectionPeerIdentityContext.authenticate method which will result in a SaslClient not being able to be created (client.createSaslClient returns null)
        • The example case that I ran into was that the ConnectionPeerIdentityContext only had a DIGEST-MD5 offeredMechanisms and the principal specified in the AuthenticationConfiguration was anonymous. Since DIGEST-MD5 inherently requires credentials and anonymous can't give them, no SaslClient can be constructed.
      • The authMap entry gets leaked
      Show
      I discovered this bug while doing remote ejbs from an EAP 7.2.3 web node to a cluster of backend nodes, and it appears to be exposed by a potential bug in upstream code, but since those reproduction steps are complicated and not immediately applicable to this project, we will just state the relevant bits: Pass an AuthenticationConfiguration to the ConnectionPeerIdentityContext.authenticate method which will result in a SaslClient not being able to be created (client.createSaslClient returns null) The example case that I ran into was that the ConnectionPeerIdentityContext only had a DIGEST-MD5 offeredMechanisms and the principal specified in the AuthenticationConfiguration was anonymous. Since DIGEST-MD5 inherently requires credentials and anonymous can't give them, no SaslClient can be constructed. The authMap entry gets leaked

    Description

      Inside the authentication logic of ConnectionPeerIdentityContext, if a saslClient fails to be created (either createSaslClient returns null or there is a SaslException when creating the client), the authMap entry never gets cleaned up. If this happens a ton of times, significant memory leakage occurs.

      Attachments

        Issue Links

          Activity

            People

              flaviarnn Flavia Rainone
              jswett33 Joshua Swett (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: