Closed Bug 132548 Opened 22 years ago Closed 22 years ago

mail message crashes mozilla

Categories

(MailNews Core :: Security: S/MIME, defect, P1)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
Other Branch
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.2

People

(Reporter: tom.vandenhove, Assigned: KaiE)

Details

(Keywords: crash)

Attachments

(1 file)

s/mime signed mail causing crash
5.27 KB, text/plain
Details 
When opening some mail messages (on imap mail server: netscape messenger),
mozilla crashes (segmentation fault).

I have this problem with two messages, both containing S/MIME signatures and
several To: or CC: lines... however, other messages with S/MIME or multiple
recipients do not crash mozilla.

I've tested this on W2K as well and did not have problems opening those same
messages...

Mozilla versions : 0.9.9 and latest nightly

talkback incident ID's : TB4297879G and TB4178474Q
Severity: major → critical
Keywords: crash, stackwanted
pk11_mkHandle()
pk11_searchCertsAndTrust()
pk11_searchTokenList()
NSC_FindObjectsInit()
traverse_objects_by_template()
nssToken_TraverseCertificatesBySubject()
NSSTrustDomain_FindCertificatesBySubject()
find_issuer_cert_for_identifier()
NSSCertificate_BuildChain()
CERT_FindCertIssuer()
CERT_VerifyCertChain()
CERT_VerifyCert()
NSS_CMSSignerInfo_VerifyCertificate()
NSS_CMSSignedData_VerifySignerInfo()
nsCMSMessage::VerifyDetachedSignature()
MimeMultCMS_generate()
MimeMultipartSigned_emit_child()
MimeMultipartSigned_parse_eof()
MimeContainer_parse_eof()
MimeMessage_parse_eof()
mime_display_stream_complete()
nsStreamConverter::OnStopRequest()
nsDocumentOpenInfo::OnStopRequest()
nsStreamListenerTee::OnStopRequest()
nsOnStopRequestEvent0::HandleEvent()
nsStreamListenerEvent0::HandlePLEvent()
PL_HandleEvent()
PL_ProcessPendingEvents()
nsEventQueueImpl::ProcessPendingEvents()
event_processor_callback()
our_gdk_io_invoke()
libglib-1.2.so.0 + 0xea7a (0x40395a7a)
libglib-1.2.so.0 + 0x10055 (0x40397055)
libglib-1.2.so.0 + 0x10659 (0x40397659)
libglib-1.2.so.0 + 0x107e8 (0x403977e8)
libgtk-1.2.so.0 + 0x9127b (0x402b327b)
nsAppShell::Run()
nsAppShellService::Run()
main1()
main()
libc.so.6 + 0x1c627 (0x404f4627) 
-> PSM
Assignee: mscott → ssaux
Status: UNCONFIRMED → NEW
Component: Mail Back End → S/MIME
Ever confirmed: true
Keywords: stackwanted
Product: MailNews → PSM
QA Contact: esther → alam
Version: other → unspecified
cc kai, relyea, wtc.

nominating nsbeta1
Assignee: ssaux → kaie
Keywords: nsbeta1
Priority: -- → P1
Target Milestone: --- → 2.2
Tom, ideally it would be helpful if you could attach that message in its raw
format to this bug. Maybe the following helps: You could try to start the
application, but not enter the security password when you are prompted, just
press cancel. When you clicked on the message, and it did not crash yet, you
could use "View Message Source" from the menu to open the raw message, put that
data into a text file and attach it to this bug.
Thanks!

Bob, Ian,

we don't have local variable values in the crash data, so we have to guess about
the cause.

We know the crash happened directly within pk11_mkHandle.

I see only one line that could cause a crash directly within that function, it
is the line that dereferences the dbKey pointer, that has been passed in as an
argument. I guess this pointer was either NULL or invalid.

I suggest function pk11_mkHandle should be changed to be failsafe.

I suggest to fix the crash for the beta.
Keywords: nsbeta1nsbeta1+
this message (among others) makes mozilla crash...
I've attached one of the messages which trigger the crash. Some other remarks :
removing my .mozilla folder (and thus losing and recreating all my settings)
solves the problem : I can then open this message without problems. However, I
don't think that should qualify as a proper solution ;-) The problem might
resurface at any time...

Also, just removing the ImapMail folder does not solve the problem... Any ideas
on which other files/folders might be related to this problem ?

Tom
QA Contact: alam → carosendahl
Bob, do you agree to my suggestion in comment #6 ?

adding adt1.0.0 keyword.
Keywords: adt1.0.0
No, you are simply masking whatever the real problem is.
Something is seriously wrong if that pointer is invalid.
(note it's passed in as &cert->certKey, so that cert would have to be an invalid
pointer). Also not that the chances of dbKey being '0' is almost nill (even if
cert is NULL).

Kae, can you reproduce this with the stuff he's sent? My guess is the problem is
probably corruption in the database itself..

bob
See bug 134992.  I've been tracking on this all day.  I'd need to compile
certutil to look at the database, but off hand, I know that deleting a cert or
attempting to replace a cert whether through regular mail correspondence or
directly from a directory server begins the downward spiral.

There are two cert7.db files in the other bug that seem to be corrupted.
This is great bug to fix, but we are removing adt1.0.0 because there is no patch
to approve for checkin, nore the requisite reviews.
Keywords: adt1.0.0
Unfortunately I'm unable to reproduce the problem.
I copied that message to a mail file in my "Local Folders" and I can open and
display it just fine, and it is shown as signed.

Tom, as you said, it depends on your profile. This really sounds like your cert
database file is corrupted.

How could we try to find out why users manage to get corrupted databases?

Note, there is a patch in bug 136625, which might fix this crash.

I've just tested this with RC1 and it seems to work fine now... no more crashes
with those same messages that caused the crash before...

thx guys ! This was really annoying me...
Tom
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Verified - no longer crashes with message attachment in the defect.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Product: Core → MailNews Core
QA Contact: carosendahl → s.mime
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: