Closed Bug 135052 Opened 23 years ago Closed 22 years ago

Leaked reference to the internal key slot in p12d.c

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: wtc, Assigned: rrelyea)

References

Details

(Whiteboard: [adt2 RTM])

Attachments

(1 file, 2 obsolete files)

More cleanup in SEC_PKCS12DecoderStart
838 bytes, patch
rrelyea
: review+
Details | Diff | Splinter Review 
In mozilla/security/nss/lib/pkcs12/p12d.c, we call
PK11_GetInternalKeySlot() in SEC_PKCS12DecoderStart()
if the second argument 'slot' to SEC_PKCS12DecoderStart()
is NULL, but we are not calling PK11_FreeSlot() in
SEC_PKCS12DecoderFinish(), so this slot reference is
leaked.

Note that we may also call PK11_GetInternalKeySlot()
in sec_pkcs12_decoder_get_decrypt_key():

    /* if no slot specified, use the internal key slot */
    if(!keyPwd->slot) {
        keyPwd->slot = PK11_GetInternalKeySlot();
    }

But I believe that we never call this function with a
NULL keyPwd->slot, so this code is never executed.  I
will verify that.
I am pretty sure that in sec_pkcs12_decoder_get_decrypt_key,
keyPwd->slot is not NULL.  Below is the notes I took while
tracing the source code.  You can skip these notes.

1. SEC_PKCS12DecoderStart creates p12dcx and sets p12dcx->slot.
p12dcx->slot is not NULL.  Then it specifies p12dcx as the
argument to sec_pkcs12_decoder_pfx_notify_proc.

2. sec_pkcs12_decoder_pfx_notify_proc is a static function and
is only referenced once. It passes p12dcx to
sec_pkcs12_decode_start_asafes_cinfo.

3. sec_pkcs12_decode_start_asafes_cinfo is a static function
and is only referenced once.  It specifies p12dcx as the
argument to sec_pkcs12_decoder_asafes_notify.

4. sec_pkcs12_decoder_asafes_notify is a static function and
is only referenced once.  It sets p12dcx->currentASafeKeyPwd->slot
to p12dcx->slot and specifies p12dcx->currentASafeKeyPwd as
the argument to sec_pkcs12_decoder_get_decrypt_key.

5. Finally, sec_pkcs12_decoder_get_decrypt_key is a static
function and is only referenced once.  Its argument is
called keyPwd.  We can assert that keyPwd->slot is not NULL.
Status: NEW → ASSIGNED
Attached patch Proposed patch (obsolete) — Splinter Review 
This patch requires some explanation.

1. Although I am pretty sure that in sec_pkcs12_decoder_get_decrypt_key,
keyPwd->slot is not NULL, I am not 100% sure.  So in this function, I
decided to fix the slot reference leak if keyPwd->slot is NULL and we
have to use the internal key slot.

Note that my patch changes the function's behavior slightly.  If
keyPwd->slot is NULL, on return keyPwd->slot will still be NULL
if my patch is applied; in the original code keyPwd->slot will
be equial to the internal key slot.

2. In SEC_PKCS12DecoderStart I simply deleted the code for the
case 'slot' is NULL.  This is because SEC_PKCS12DecoderStart
returns NULL if 'slot' is NULL, so we can't possibly pass a
NULL 'slot' to this function.
Attached patch Proposed patch (obsolete) — Splinter Review 
This patch requires some explanation.

1. Although I am pretty sure that in sec_pkcs12_decoder_get_decrypt_key,
keyPwd->slot is not NULL, I am not 100% sure.  So in this function, I
decided to fix the slot reference leak if keyPwd->slot is NULL and we
have to use the internal key slot.

Note that my patch changes the function's behavior slightly.  If
keyPwd->slot is NULL, on return keyPwd->slot will still be NULL
if my patch is applied; in the original code keyPwd->slot will
be equial to the internal key slot.

2. In SEC_PKCS12DecoderStart I simply deleted the code for the
case 'slot' is NULL.  This is because SEC_PKCS12DecoderStart
returns NULL if 'slot' is NULL, so we can't possibly pass a
NULL 'slot' to this function.
Comment on attachment 78472 [details] [diff] [review]
Proposed patch

Attached the same patch twice.	Sorry.
Attachment #78472 - Attachment is obsolete: true
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
In rev. 1.10 of p12d.c, Bob fixed the leak of
the internal key slot reference allocated in
SEC_PKCS12DecoderStart() (for bug 133584).

So the only thing left to do for this bug is
to determine whether the internal key slot
reference in sec_pkcs12_decoder_get_decrypt_key()
is leaked.  Bob, could you take a look at that?

In reviewing the current SEC_PKCS12DecoderStart()
function I found that we need to free the slot on
error return and that it doesn't make sense to
consider a NULL slot an error because a few lines
ahead we have handled that case by using the internal
key slot.  This patch addresses these two issues.
Attachment #78470 - Attachment is obsolete: true
Assigned the bug to Bob.
Assignee: wtc → relyea
Status: ASSIGNED → NEW
Priority: -- → P2
Target Milestone: --- → 3.5
This is not a leak, because SymKeys are expected to own the reference to the
slot. It would only be a leak if the symkey is not freed (which it is much later).

bob
Comment on attachment 82983 [details] [diff] [review]
More cleanup in SEC_PKCS12DecoderStart

Bob,

Thanks for looking at sec_pkcs12_decoder_get_decrypt_key().

Could you review this patch too?
Comment on attachment 82983 [details] [diff] [review]
More cleanup in SEC_PKCS12DecoderStart

Yup.
Attachment #82983 - Flags: review+
Gracias.

Marked the bug fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Blocks: 145836
adt1.0.1+ (on ADT's behalf) for checkin to the 1.0 branch. Pls check this in
asap. thanks!
Keywords: adt1.0.1+, nsbeta1+
Whiteboard: [adt2 RTM]
Keywords: adt1.0.1+fixed1.0.1
bishakhabanerjee@netscape.com - can you verify this bug fix in 1.01 branch? 
When verified, pls replace fixed1.0.1 keyword with verified1.0.1.  Thanks.
marking verified
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1verified1.0.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: