MessageUtils JVM crash

Alan Bateman Alan.Bateman at Sun.COM
Wed Jun 17 08:11:28 UTC 2009

Marc Schoenefeld wrote:
> Hi,
> originally I wrote a fuzzing tool to test all native functions in jdk131
> , then gave a list of the results to the Sun representatives at RSA
> conference 2003.
> Unfortunately I never received any reaction to this bug report, nor were
> the bugs fixed. So I put the bugs in a drawer, but used the chance to
> write a fix
> for OpenJDK.
> Setting the parameter to null could allow an attacker to conduct denial
> of service attacks: 
>  -
> or
>  -
I wasn't at the RSA conference in 2003 so it wasn't me :-)   It may be 
that the attacks involved calling sun.* APIs directly, something that 
you can't do if there is a security manager. The XSLT issue is more 
significant and I'm pretty sure that specific issue was fixed a few 
years ago.

As regards sun.misc.MessageUtils, I don't see any problem fixing this. I 
notice the return from NewStringUTF isn't checked. Unfortunately this 
(very old) code is also missing checks for the calls to GetStringChars 
and malloc. Also, I assume that the additional \0 isn't needed.


More information about the core-libs-dev mailing list