Closed Bug 207740 Opened 21 years ago Closed 21 years ago

Browser crashes on HTTPS urls - Trunk M140RC1 [@ cert_get_next_general_name]

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: laurens, Assigned: nelson)

References

(
URL
)

Details

(4 keywords, Whiteboard: [3.7.7][3.4.4])

Crash Data

Attachments

(1 file, 1 obsolete file)

Simpler patch
573 bytes, patch
wtc
: review+
asa
: approval1.4+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529

Mozilla 1.4 RC 1 crashes on accessing certain HTTPS sites (either entering them
in the URL bar or clicking on a link.)

At the moment I have only been able to reproduce this bug with my local web
server. I haven't found public internet servers that trigger the same behaviour.
But by accessing my local server I can reproduce the crash every time.

Reproducible: Always

Steps to Reproduce:
1. Enter an url in the location bar e.g. "https://www" and press enter
Actual Results:  
Browser crashes.

Expected Results:  
Browser opens this page using SSL.

Talkback Incident IDs: TB20604478W, TB20604426Q, TB20604314K and TB20604306Z.

My local web server is running Apache 1.3.27 and mod_ssl 2.8.12-1.3.27. The page
requested is very simple: <HTML><BODY>-</BODY></HTML>.
Some more details:

- The SSL certificate I am using is (of course) self signed and has as Common
Name "10.1.1.2"
- Mozilla 1.4 beta is working fine, but nightly build 2003-05-25-08-trunk does
have this problem (I can't find nightly build before 05-25)
Some mirrors still have old builds, so I was able to narrow the problem down to
the day it first accorded.

Nightly build 2003-05-23-09-trunk is working fine.
Nightly build 2003-05-24-08-trunk crashes.
Reporter: 
Have you installed Mozilla in a empty directory (uninstalled first, deleted the
Mozilla application directory) and have you tried a new profile ?
Keywords: crash, stackwanted
Whiteboard: TB20604478W
Also happens on Mac OS X (10.2.3):
crashes Mozilla 1.4rc1 
(Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.4) Gecko/20030529)
and nightly build ID 2003053103
(Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5a) Gecko/20030531)

Does NOT happen on Mozilla 1.4b release
(just re-downloaded and re-installed to confirm, but forgot to write down the ID
before trashing it :P. Sorry. It's the May 7th release)

Looks like some URLs cause the crash: 
https://webmail.upv.es
...but others don't: 
https://store.apple.com/Catalog/US/Images/salespolicies.html

The first URL used to be problematic because of the type of the certificate
(something to do with a not-recognized issuer of the certificate). May that be a
cause?

TalkBack IDs: 
release 1.4rc1: TB272328W, TB272333W
nightly build 2003053103: TB273009G
As suggested in comment #3 from Matti, just tried with a new profile in the
nightly build ID 2003053103. 
But the bad behaviour is consistent: the first URL given in comment #4 crashes
Mozilla, but the 2nd doesn't.

One difference: the 2nd URL warns me about entering a secure page (normal
behaviour). The first URL doesn't; just crashes.

I'm running this nightly build from a separate folder (though I guess that bit
is not really useful for a Mac, since here the app is just [kind of] an atomic
46 Mb item...). 
confirming crash with a 1 day old win2k build and the URL https://webmail.upv.es
I asked for a new profile because you I use some https URLs frequently  that
doesn't crash and you mean that all https URLs cause a crash.

cert_get_next_general_name(CERTGeneralNameStr * 0x00000000) line 215 + 4 bytes
cert_DecodeGeneralNames(PLArenaPool * 0x1fcead2a, SECItemStr * * 0x07300a40)
line 441
CERT_DecodeAltNameExtension(PLArenaPool * 0x07300a40, SECItemStr * 0x0175fbe0)
line 180 + 7 bytes
cert_GetCertificateEmailAddresses(CERTCertificateStr * 0x1fce3196) line 1109 +
11 bytes
CERT_DecodeDERCertificate(SECItemStr * 0x1fcfa067, int 24509472, char *
0x00000001) line 875
nssDecodedPKIXCertificate_Create(NSSArenaStr * 0x00000000, NSSItemStr *
0x06e55bbc) line 426 + 33 bytes
stan_GetCERTCertificate(NSSCertificateStr * 0x06e55b90, int 1226) line 709 + 11
bytes
__CERT_NewTempCertificate(NSSTrustDomainStr * 0x1fd848c3, SECItemStr *
0x0701f660, char * 0x076344d4, int 0, int 0) line 272 + 6 bytes
ssl3_HandleHandshakeMessage(sslSocketStr * 0x071c40b0, unsigned char *
0x071c4258, unsigned int 119292500) line 7993 + 8 bytes
ssl3_HandleRecord(sslSocketStr * 0x1fd8ad86, SSL3Ciphertext * 0x071c40b0,
sslBufferStr * 0x00000000) line 8378 + 11 bytes
ssl_GatherRecord1stHandshake(sslSocketStr * 0x071c40b0) line 1261
ssl_SecureSend(sslSocketStr * 0x1fd90016, const unsigned char * 0x071c40b0, int
116027440, int 447) line 1028 + 6 bytes
ssl_SecureWrite(sslSocketStr * 0x071c40b0, const unsigned char * 0x06ea7030, int
447) line 1062 + 22 bytes
ssl_Write(PRFileDesc * 0x06e7c608, const void * 0x06ea7030, int 447) line 1283
nsSSLIOLayerWrite(PRFileDesc * 0x06e7c608, const void * 0x00000000, int
805319248) line 1187 + 14 bytes
07770a80()
nsSSLIOLayerClose(PRFileDesc *) line 944

-> PSM
Assignee: general → ssaux
Status: UNCONFIRMED → NEW
Component: Browser-General → Client Library
Ever confirmed: true
Flags: blocking1.4?
Keywords: stackwantedregression
Product: Browser → PSM
QA Contact: general → bmartin
Whiteboard: TB20604478W
Version: Trunk → unspecified
As suggested in comment 3 I tried installing Mozilla in a fresh directory, this
did not change the behaviour.

I assume comment 5 takes care of the new profile. Or do I need to try with both
a fresh install and a new profile?

The first url from comment 4 does indeed crash Mozilla, see Talkback ID TB20612627Y.
Component: Client Library → Browser-General
Keywords: regressionstackwanted
Product: PSM → Browser
QA Contact: bmartin → general
Whiteboard: TB20604478W
Version: unspecified → Trunk
Please don't clobber my changes. If you get a mid-air and i changed something
don't use "proccedd anyway" !

YOu don't need to test now because i can reproduce it (but not with all Https URLS)
Component: Browser-General → Client Library
Keywords: stackwantedregression
Product: Browser → PSM
QA Contact: general → bmartin
Whiteboard: TB20604478W
Version: Trunk → unspecified
Bob Relyea: This crash is in NSS. Can you comment?

I was told this happens on Mac too -> Changing hardware/OS to All.

Self signed certificates seems to be the triggering factor here. I'm glad this
was found before the 1.4 release (we don't want a 1.4.1 too soon).
OS: Windows 2000 → All
Hardware: PC → All
To Kai for investigation. Even if we have seen many self signed certificates
being constructed incorrectly, we should not crash.
Assignee: ssaux → kaie
The certificate chain at https://www.ida.liu.se/ was investigated quite
thoroughly in bug 174634, and was found to be valid then. It works as a testcase
for this bug as well. Tested clean install/profile of 1.4RC1 on Linux, resulted
in hanged networking in Mozilla. No crash though, but more or less just as bad.
Taking bug.  Changing product to NSS.  
There are two separate issues here.

1. The immediate cause of the crash is a bug in cert_DecodeGeneralNames, which 
is an old bug, not a recent regression.  The source file that contains this 
function had MANY such errors in it.  Recently, many of those bugs were fixed,
but apparently a few more remain.

2. It's unclear why cert_DecodeGeneralNames is being called with the particular
input it is receiving.  I will investigate.
Assignee: kaie → nelsonb
Component: Client Library → Libraries
Priority: -- → P1
Product: PSM → NSS
Target Milestone: --- → 3.8.1
Version: unspecified → 3.8
This is not a regression, per se'.  It is not the case that some recenrly made
change introduced a new bug.  Rather, It is the case that one bug (that was
recently fixed) masked another old one (which is now exposed).  

I recommend that this bug receive the same attention and priority as bug 204555 .
Patch forthcoming.
Status: NEW → ASSIGNED
This patch may be overly cautious.  The new nextName variable should never be
NULL, so the test for it should be reduntdant.	But better safe than sorry.
Comment on attachment 124948 [details] [diff] [review]
test pointers for NULL before using them

Wan-Teh, if you approve, please request approval1.4. Thanks.
Attachment #124948 - Flags: review?(wtc)
Since this is YET ANOTHER null pointer dereference bug in genname.c, I'm marking
this bug as depending on bug 204555, which acts as a dependency for all the
other bugs of this ilk.
Depends on: 204555
Comment on attachment 124948 [details] [diff] [review]
test pointers for NULL before using them

cert_get_prev_general_name() and
cert_get_next_general_name() cannot return a
NULL pointer.  It's an artifact of their
implementation; they could return an invalid
pointer, but not NULL.	So the only change we
need is the "if (currentName)" test.
Attachment #124948 - Flags: review?(wtc) → review-
Comment on attachment 124948 [details] [diff] [review]
test pointers for NULL before using them

Nelson, I didn't read comment 16, so I didn't realize
that you already knew those two functions cannot
return NULL.  I also found that in the cert_DecodeGeneralNames
function those two functions will return a valid pointer
if currentName is a valid pointer (because currentName is
in a circular linked list).  So I think the "if (nextName)"
tests are not necessary there.
Hi!

This is the bug I've had tons of problems with on RC1. My testcase is not only
the one from liu.se (actually webmai.island.liu.se but it is the same
certificate) but in my case its 2part.

1. I get a crash to windows with no chance of "recovery" when using the webmail
https link.

2. When connecting to the mailserver IMAP.island.liu.se (that I think uses the
same certificate) I get the Crashmessage but I'm still able to use both the
browser and the email client if I ignore the message (No actuall connection to
the mailserver is made though, so I cannot receive or send any mails)

Absolutely a blocker/critical bug, at least for me=)
Regarding Comment 20:  
Note that the certs in question do not comply with RFC 3280, AFAIK.  
They contain empty Subject Alternative Name extensions.  
They contain extensions that say "here is the list of alternative names for
this subject", and the list is empty.  An empty list is not allowed by the 
ASN.1 definition of GeneralNames (see page 35 of RFC 3280).  
If the list is empty, the extension should not be present.  

I'm trying to get this patch ready to go in ASAP, so I coded it conservatively.
Now, I'll have to recode it.  :-(.  
I hope there's still time for this patch to make it into moz 1.4.
Comment on attachment 124948 [details] [diff] [review]
test pointers for NULL before using them

>+    if (currentName) {
>+	nextName = cert_get_next_general_name(currentName);
>+	if (nextName)
>+	    nextName->l.prev = tail;
>+	return nextName;
>+    }
> loser:
>     return NULL;
> }

Should we set the error code right before the loser label?
Alternatively, we can fix the caller (CERT_DecodeAltNameExtension)
to not call cert_DecodeGeneralNames under this condition.
Attached patch Simpler patchSplinter Review 
This patch is much smaller than the last and makes the code more obviously
correct, IMO.
Attachment #124948 - Attachment is obsolete: true
Attachment #124964 - Flags: review?(wtc)
In answer to comment 22, I would say that this condition is not an error. 
It is simply an empty list.  
Comment on attachment 124964 [details] [diff] [review]
Simpler patch

r=wtc.

Nelson, I believe this patch can be further simplified.

>+    if (currentName) {
>+	return cert_get_next_general_name(currentName);
>+    }

This can be replaced by:

      return head;
Attachment #124964 - Flags: review?(wtc) → review+
Regarding comment 25.  "head" has the wrong type.  
It is the doubly-linked list structure inside the CERTGeneralName.  This 
function needs to return the address of the CERTGeneralName that contains head.
Comment on attachment 124964 [details] [diff] [review]
Simpler patch

drivers: remember that NSS doesn't require sr review.
Attachment #124964 - Flags: approval1.4?
a=adt Please land this fix on the 1.4 Branch after getting drivers approval and
add the fixed1.4 keyword.
Comment on attachment 124964 [details] [diff] [review]
Simpler patch

a=asa (on behalf of drivers) for checkin to the 1.4 branch.
Attachment #124964 - Flags: approval1.4? → approval1.4+
The patch has been checked into the NSS tip (NSS 3.9),
NSS_3_8_BRANCH (NSS 3.8.1), NSS_CLIENT_TAG (Mozilla 1.5
alpha), and MOZILLA_1_4_BRANCH (Mozilla 1.4 final).
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Keywords: fixed1.4
Resolution: --- → FIXED
Flags: blocking1.4?
Patch checked into NSS_3_7_BRANCH for NSS 3.7.7 Beta 1.
Whiteboard: [3.7.7]
Adding topcrash and Trunk M140RC1 [@ cert_get_next_general_name] to summary for
future reference.  No crashes since 6/4 builds...marking verified based on
Talkback data.
Status: RESOLVED → VERIFIED
Keywords: topcrash
Summary: Browser crashes on HTTPS urls → Browser crashes on HTTPS urls - Trunk M140RC1 [@ cert_get_next_general_name]
Changing dependency from 204555 to 174885.  
This bug and 204555 are independent of each other.  
Both were both masked by bug 174885, and were exposed once 174885 was fixed.
Depends on: 174885
No longer depends on: 204555
Patch checked in on the NSS_3_4_BRANCH (3.4.4).
Whiteboard: [3.7.7] → [3.7.7][3.4.4]
Crash Signature: [@ cert_get_next_general_name]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: