[xSocket-develop] An information leakage from IoConnector to IoSocketDispatcher through an IOException without LOG severe control

[Fu, X. <xia...@ws...>]

Dear developers:
   I am a Ph.D. student at Washington State University. I applied dynamic taint analyzer (distTaint) to xSocket (version 2.8.5). And then I find a security vulnerability from a tainted path.

   During xSocket integration testing, I developed one sample application, based on NonBlockingConnection, whose client send a text message, followed by another client sending another, to the server.

   The source: org.xsocket.connection.IoConnector:
    private void handleConnect() {
        Set<SelectionKey> selectedEventKeys = selector.selectedKeys();
        Iterator<SelectionKey> it = selectedEventKeys.iterator();
        while (it.hasNext()) {
            SelectionKey eventKey = it.next();
            it.remove();
            RegisterTask registerTask = (RegisterTask) eventKey.attachment();
......
        }
    }
The sink: org.xsocket.connection:
public IoSocketDispatcher(AbstractMemoryManager memoryManager, String name)  {
......
try {
selector = Selector.open();
} catch (IOException ioe) {
String text = "exception occured while opening selector. Reason: " + ioe.toString();
LOG.severe(text);
throw new RuntimeException(text, ioe);
}
......
}

   The statement "LOG.severe(text)" doesn't have LOG severe control.

   The Tainted path:
 org.xsocket.connection.IoConnector -->
    org.xsocket.connection.IoConnector$RegisterTask -->
    org.xsocket.connection.IoConnector -->
     org.xsocket.connection.ConnectionManager -->
     org.xsocket.connection.NonBlockingConnection$SyncIoConnectorCallback -->
     org.xsocket.connection.ConnectionManager -->
     org.xsocket.connection.NonBlockingConnection -->
     org.xsocket.connection.NonBlockingConnection$SyncIoConnectorCallback -->
     org.xsocket.connection.NonBlockingConnection -->
     org.xsocket.connection.ConnectionManager -->
     org.xsocket.connection.ConnectionManager$TimeoutMgmHandle -->
     org.xsocket.connection.NonBlockingConnection -->
     org.xsocket.connection.IoConnector$RegisterTask -->
     org.xsocket.connection.NonBlockingConnection -->
     org.xsocket.connection.ConnectionManager$TimeoutMgmHandle -->
     org.xsocket.connection.NonBlockingConnection -->
      org.xsocket.connection.IoSocketDispatcherPool
I am going to submit a CVE, so please confirm this is not a true positive.

   It was recorded at https://sourceforge.net/p/xsocket/bugs/25/
   Please help me confirm it.

   Thank you very much!
   Yours sincerely
   Xiaoqin Fu