Closed
Bug 135052
Opened 23 years ago
Closed 22 years ago
Leaked reference to the internal key slot in p12d.c
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
3.5
People
(Reporter: wtc, Assigned: rrelyea)
References
Details
(Whiteboard: [adt2 RTM])
Attachments
(1 file, 2 obsolete files)
838 bytes,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
In mozilla/security/nss/lib/pkcs12/p12d.c, we call PK11_GetInternalKeySlot() in SEC_PKCS12DecoderStart() if the second argument 'slot' to SEC_PKCS12DecoderStart() is NULL, but we are not calling PK11_FreeSlot() in SEC_PKCS12DecoderFinish(), so this slot reference is leaked. Note that we may also call PK11_GetInternalKeySlot() in sec_pkcs12_decoder_get_decrypt_key(): /* if no slot specified, use the internal key slot */ if(!keyPwd->slot) { keyPwd->slot = PK11_GetInternalKeySlot(); } But I believe that we never call this function with a NULL keyPwd->slot, so this code is never executed. I will verify that.
Reporter | ||
Comment 1•22 years ago
|
||
I am pretty sure that in sec_pkcs12_decoder_get_decrypt_key, keyPwd->slot is not NULL. Below is the notes I took while tracing the source code. You can skip these notes. 1. SEC_PKCS12DecoderStart creates p12dcx and sets p12dcx->slot. p12dcx->slot is not NULL. Then it specifies p12dcx as the argument to sec_pkcs12_decoder_pfx_notify_proc. 2. sec_pkcs12_decoder_pfx_notify_proc is a static function and is only referenced once. It passes p12dcx to sec_pkcs12_decode_start_asafes_cinfo. 3. sec_pkcs12_decode_start_asafes_cinfo is a static function and is only referenced once. It specifies p12dcx as the argument to sec_pkcs12_decoder_asafes_notify. 4. sec_pkcs12_decoder_asafes_notify is a static function and is only referenced once. It sets p12dcx->currentASafeKeyPwd->slot to p12dcx->slot and specifies p12dcx->currentASafeKeyPwd as the argument to sec_pkcs12_decoder_get_decrypt_key. 5. Finally, sec_pkcs12_decoder_get_decrypt_key is a static function and is only referenced once. Its argument is called keyPwd. We can assert that keyPwd->slot is not NULL.
Status: NEW → ASSIGNED
Reporter | ||
Comment 2•22 years ago
|
||
This patch requires some explanation. 1. Although I am pretty sure that in sec_pkcs12_decoder_get_decrypt_key, keyPwd->slot is not NULL, I am not 100% sure. So in this function, I decided to fix the slot reference leak if keyPwd->slot is NULL and we have to use the internal key slot. Note that my patch changes the function's behavior slightly. If keyPwd->slot is NULL, on return keyPwd->slot will still be NULL if my patch is applied; in the original code keyPwd->slot will be equial to the internal key slot. 2. In SEC_PKCS12DecoderStart I simply deleted the code for the case 'slot' is NULL. This is because SEC_PKCS12DecoderStart returns NULL if 'slot' is NULL, so we can't possibly pass a NULL 'slot' to this function.
Reporter | ||
Comment 3•22 years ago
|
||
This patch requires some explanation. 1. Although I am pretty sure that in sec_pkcs12_decoder_get_decrypt_key, keyPwd->slot is not NULL, I am not 100% sure. So in this function, I decided to fix the slot reference leak if keyPwd->slot is NULL and we have to use the internal key slot. Note that my patch changes the function's behavior slightly. If keyPwd->slot is NULL, on return keyPwd->slot will still be NULL if my patch is applied; in the original code keyPwd->slot will be equial to the internal key slot. 2. In SEC_PKCS12DecoderStart I simply deleted the code for the case 'slot' is NULL. This is because SEC_PKCS12DecoderStart returns NULL if 'slot' is NULL, so we can't possibly pass a NULL 'slot' to this function.
Reporter | ||
Comment 4•22 years ago
|
||
Comment on attachment 78472 [details] [diff] [review] Proposed patch Attached the same patch twice. Sorry.
Attachment #78472 -
Attachment is obsolete: true
Reporter | ||
Comment 5•22 years ago
|
||
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
Reporter | ||
Comment 6•22 years ago
|
||
In rev. 1.10 of p12d.c, Bob fixed the leak of the internal key slot reference allocated in SEC_PKCS12DecoderStart() (for bug 133584). So the only thing left to do for this bug is to determine whether the internal key slot reference in sec_pkcs12_decoder_get_decrypt_key() is leaked. Bob, could you take a look at that? In reviewing the current SEC_PKCS12DecoderStart() function I found that we need to free the slot on error return and that it doesn't make sense to consider a NULL slot an error because a few lines ahead we have handled that case by using the internal key slot. This patch addresses these two issues.
Attachment #78470 -
Attachment is obsolete: true
Reporter | ||
Comment 7•22 years ago
|
||
Assigned the bug to Bob.
Assignee: wtc → relyea
Status: ASSIGNED → NEW
Priority: -- → P2
Target Milestone: --- → 3.5
Assignee | ||
Comment 8•22 years ago
|
||
This is not a leak, because SymKeys are expected to own the reference to the slot. It would only be a leak if the symkey is not freed (which it is much later). bob
Reporter | ||
Comment 9•22 years ago
|
||
Comment on attachment 82983 [details] [diff] [review] More cleanup in SEC_PKCS12DecoderStart Bob, Thanks for looking at sec_pkcs12_decoder_get_decrypt_key(). Could you review this patch too?
Assignee | ||
Comment 10•22 years ago
|
||
Comment on attachment 82983 [details] [diff] [review] More cleanup in SEC_PKCS12DecoderStart Yup.
Attachment #82983 -
Flags: review+
Reporter | ||
Comment 11•22 years ago
|
||
Gracias. Marked the bug fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 12•22 years ago
|
||
adt1.0.1+ (on ADT's behalf) for checkin to the 1.0 branch. Pls check this in asap. thanks!
Reporter | ||
Updated•22 years ago
|
Keywords: adt1.0.1+ → fixed1.0.1
Comment 13•22 years ago
|
||
bishakhabanerjee@netscape.com - can you verify this bug fix in 1.01 branch? When verified, pls replace fixed1.0.1 keyword with verified1.0.1. Thanks.
Comment 14•22 years ago
|
||
marking verified
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1 → verified1.0.1
You need to log in
before you can comment on or make changes to this bug.
Description
•