Details
-
Bug
-
Status: In Progress
-
Minor
-
Resolution: Unresolved
-
2.0.0
-
None
-
None
Description
The SaslMessageToken class will throw an NPE if buffer() is called and the payload is null. While the buffer method checks whether the token is null in a few places before dereferencing, the encodedLength method is called right off the bat, and it doesn't check for null.
The payload is always generated by either https://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslServer.html#evaluateResponse(byte[]) or https://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslClient.html#evaluateChallenge(byte[]). The javadoc indicates that if these return null, authentication has succeeded and it is unnecessary to send any more messages to the other party.
I think if null SaslMessageToken payloads are never sent over the wire, we should remove all the null checking in SaslMessageToken and MessageDecoder, and ensure that the SASL handlers check for null before deciding to write tokens.