Hi Ricardo, Thank you for discovering and reproducing the issue - it looks like JDK-8176553 was incomplete in solving how referrals are limited. At first glance the attached patch (fix + test) looks like a good change to have - I think it is PR worthy :) I've logged a bug for your change - https://bugs.openjdk.org/browse/JDK-8288895.
Best, Aleksei ________________________________ From: core-libs-dev <core-libs-dev-r...@openjdk.org> on behalf of Sean Mullan <sean.mul...@oracle.com> Sent: Friday, June 17, 2022 3:15 PM To: core-libs-dev <core-libs-...@openjdk.java.net> Subject: Fwd: Bug JDK-8176553 [reposting to core-libs-dev as this is in the JNDI/LDAP component] -------- Forwarded Message -------- Subject: Bug JDK-8176553 Date: Fri, 17 Jun 2022 14:23:11 +0200 From: Ricardo Martin Camarero <rmart...@redhat.com> To: security-...@openjdk.org Hi! I decided to send an email to the security-dev email list as ldap is involved. Please redirect me to other list if it is not the proper audience. The last last days I have faced the same issue that is commented in JDK-8176553 [1]. Although it is cataloged as fixed in 12, the issue is not solved in the openjdk master branch yet. You can test with this simple project [2]. The project is using apache-ds and creating 12 branches with redirects from one to the other. The search should be limited to 5 hops but you will see that all of them are followed (12). Therefore, If there are loops, the search hangs indefinitely. So JDK-8176553 is not fixed completely. You just need `mvn clean test` to reproduce the problem in that project. I have investigated and I think the attached little patch fixes the issue. Mainly the `LdapReferralException` is not stopping the referral loop in some situations. I have added a test in the jndi jtreg test-suite to check everything works OK; `make test TEST=jtreg:jdk/com/sun/jndi/ldap/ReferralLimitSearchTest.java` WDYT? Is the PR worthy? Thanks in advance! [1] https://bugs.openjdk.org/browse/JDK-8176553 [2] https://urldefense.com/v3/__https://github.com/rmartinc/apache-ds-referrals__;!!ACWV5N9M2RV99hQ!IZkp5q_gOAeIP8Y9Gvr8aniLloG51lZJwlG1yN6BRDyHHLpyr0W64TDMUPAzoPu7dOBOyJrNcKYmwaOF9REM3oA$
