Closed
Bug 136625
Opened 23 years ago
Closed 23 years ago
nsslowcert_DecodeDERCertificate failure causes pk11_searchCertsAndTrust to deference a null 'cert' pointer
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4.2
People
(Reporter: wtc, Assigned: rrelyea)
Details
(Keywords: crash, Whiteboard: [adt1])
Attachments
(1 file)
|
468 bytes,
patch
|
wtc
:
review+
jesup
:
approval+
|
Details | Diff | Splinter Review |
This crash was reported to us recently.
=>[1] pk11_mkHandle(slot = 0xbd128, dbKey = 0x60, class = 1879048192U), line
2495 in "pkcs11u.c"
[2] pk11_searchCertsAndTrust(slot = 0xbd128, derCert = 0xfe1615e0, name =
0xfe1615c8, derSubject = 0xfe1615d4, issuerSN = 0xfe161580, email = 0xfe1615bc,
classFlags = 1U, handles = 0x340870, pTemplate = 0xfe1617c8, ulCount = 3), line
3800 in "pkcs11.c"
[3] pk11_searchTokenList(slot = 0xbd128, search = 0x340870, pTemplate =
0xfe1617c8, ulCount = 3, tokenOnly = 0xfe161668, isLoggedIn = 0), line 4041 in
"pkcs11.c"
[4] NSC_FindObjectsInit(hSession = 16777217U, pTemplate = 0xfe1617c8, ulCount
= 3U), line 4098 in "pkcs11.c"
[5] traverse_objects_by_template(tok = 0x103648, sessionOpt = (nil),
obj_template = 0xfe1617c8, otsize = 3U, callback = 0xfe6a3da0 =
&`libnss3.so`devobject.c`retrieve_cert(struct NSSTokenStr *t, struct
nssSessionStr *session, CK_OBJECT_HANDLE h, void *arg), arg = 0xfe161860), line
223 in "devobject.c"
[6] nssToken_TraverseCertificatesBySubject(token = 0x103648, sessionOpt =
(nil), subject = 0xfe161910, search = 0xfe161860), line 643 in "devobject.c"
[7] NSSTrustDomain_FindBestCertificateBySubject(td = 0x1034b8, subject =
0xfe161910, timeOpt = (nil), usage = 0xfe161904, policiesOpt = (nil)), line 638
in "trustdomain.c"
[8] CERT_FindCertByName(handle = 0x1034b8, name = 0x1342c4), line 337 in
"stanpcertdb.c"
(Note that this stack is similar to the stack in
http://bugzilla.mozilla.org/show_bug.cgi?id=132548#c1.)
This crash is caused by defererencing a null pointer.
Here is what I think causes the crash:
In pk11_searchCertsAndTrust(), the local variable
'cert' is set to NULL because some other function
failed earlier. Then we pass &cert->certKey as the
'dbKey' argument to pk11_mkHandle.
(If 'cert' is NULL, &cert->certKey is 0x60, which is
the value of 'dbKey' in the stack trace.)
I've determined that this is caused by
nsslowcert_TraversePermCertsForNickname,
nsslowcert_TraversePermCertsForSubject, or
nsslowcert_TraversePermCerts passing a null 'cert'
argument to the callback function pk11_cert_collect.
pk11_cert_collect would store the null 'cert' in the
certData.certs array.
It would be easy to modify pk11_cert_collect so that
it does not store a null 'cert' in the certData.certs
array, but we might need to find out why the
nsslowcert_TraversePermCerts* functions get a null
'cert' in the first place. Looking at the code, I
found it's because nsslowcert_FindCertByKey(pcertdb.c:2874)
or DecodeACert (pcertdb.c:3857 and 4111) or eventually
nsslowcert_DecodeDERCertificate (pcertdb.c:3799) failed.
|
Reporter | |
Comment 1•23 years ago
|
||
This patch may prevent the crash but I am wondering if
we should fix the underlying problem, that is, the
nsslowcert_DecodeDERCertificate failure.
|
Assignee | |
Comment 2•23 years ago
|
||
DER_DecodeCert could fail if the DER cert data isn't valid. This could occur
because the database had been corrupted at some point, or somehow we've injected
an invalid certificate into the database.
Wan-Teh's fix seems resonable to me. We may want to review the code and see
where else a corrupted certificate may cause us problems.
We probably should look at the cert and make sure it's a corruption problem and
not a valid cert that isn't being parsed by our templates.
bob
|
|
Reporter | |
Comment 3•23 years ago
|
||
Comment on attachment 78551 [details] [diff] [review]
Patch to prevent pk11_cert_collect from storing NULL in certData.certs
Just wanted to note that Bob has reviewed this patch
and I've checked it in on the trunk.
I specifically asked Bob whether pk11_cert_collect
should return SECSuccess if 'cert' is NULL. I
explained that if pk11_cert_collect returns SECFailure,
nsslowcert_TraversePermCertsForSubject will abort
the cert traversal. Bob said returning SECSuccess is
correct.
Attachment #78551 -
Flags: review+
|
||
Comment 4•23 years ago
|
||
We should land this on the branch. Nominating adt1.0.0. I will send mail to drivers.
Keywords: adt1.0.0
|
|
||
Updated•23 years ago
|
|
||
Comment 5•23 years ago
|
||
Comment on attachment 78551 [details] [diff] [review]
Patch to prevent pk11_cert_collect from storing NULL in certData.certs
a=rjesup@wgate.com
Attachment #78551 -
Flags: approval+
|
|
||
Updated•23 years ago
|
Whiteboard: [adt1]
|
||
Comment 6•23 years ago
|
||
adt1.0.0+ (on ADTs behalf) checkin to 1.0. Pls check this into the trunk and 1.0
branch.
|
|
Reporter | |
Comment 7•23 years ago
|
||
I checked in the fix on the MOZILLA_1_0_0_BRANCH.
|
|
||
Comment 8•23 years ago
|
||
Thanks, Wan-Teh. Should we check this in to NSS_CLIENT_TAG, too?
|
|
||
Comment 9•23 years ago
|
||
When checking a fix into 1.0, please add fixed1.0.0. Thanks!
Keywords: fixed1.0.0
|
|
Reporter | |
Comment 11•23 years ago
|
||
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
|
|
Reporter | |
Comment 12•23 years ago
|
||
I checked in the fix on the NSS_3_4_BRANCH.
|
|
Assignee | |
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.5
|
|
Reporter | |
Comment 14•23 years ago
|
||
Marked the bug fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•