Uploaded image for project: 'JBoss Remoting (3+)'
  1. JBoss Remoting (3+)
  2. REM3-344

ConnectionPeerIdentityContext Doesn't Clean Up authMap Entry if SaslClient is null, Which Leaks Memory

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 5.0.14.Final
    • Fix Version/s: 5.0.15.Final
    • Labels:
      None
    • Environment:

      Discovered while running JBoss EAP 7.2.3 on Centos 7

    • Steps to Reproduce:
      Hide

      I discovered this bug while doing remote ejbs from an EAP 7.2.3 web node to a cluster of backend nodes, and it appears to be exposed by a potential bug in upstream code, but since those reproduction steps are complicated and not immediately applicable to this project, we will just state the relevant bits:

      • Pass an AuthenticationConfiguration to the ConnectionPeerIdentityContext.authenticate method which will result in a SaslClient not being able to be created (client.createSaslClient returns null)
        • The example case that I ran into was that the ConnectionPeerIdentityContext only had a DIGEST-MD5 offeredMechanisms and the principal specified in the AuthenticationConfiguration was anonymous. Since DIGEST-MD5 inherently requires credentials and anonymous can't give them, no SaslClient can be constructed.
      • The authMap entry gets leaked
      Show
      I discovered this bug while doing remote ejbs from an EAP 7.2.3 web node to a cluster of backend nodes, and it appears to be exposed by a potential bug in upstream code, but since those reproduction steps are complicated and not immediately applicable to this project, we will just state the relevant bits: Pass an AuthenticationConfiguration to the ConnectionPeerIdentityContext.authenticate method which will result in a SaslClient not being able to be created (client.createSaslClient returns null) The example case that I ran into was that the ConnectionPeerIdentityContext only had a DIGEST-MD5 offeredMechanisms and the principal specified in the AuthenticationConfiguration was anonymous. Since DIGEST-MD5 inherently requires credentials and anonymous can't give them, no SaslClient can be constructed. The authMap entry gets leaked

      Description

      Inside the authentication logic of ConnectionPeerIdentityContext, if a saslClient fails to be created (either createSaslClient returns null or there is a SaslException when creating the client), the authMap entry never gets cleaned up. If this happens a ton of times, significant memory leakage occurs.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  flavia.rainone Flavia Rainone
                  Reporter:
                  jswett33 Joshua Swett
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: