211384 - Importing a CRL that already exists in the DB causes NSS_Shutdown to fail

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Tej Arora]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
Build Identifier: 

Import a CRL using crlutil. exit code is 0.
Import the same CRL again. exit code is 1, because NSS_Shutdown failed.
NSS_Shutdown fails because secmod_PrivateModuleCount does not
come down to 0 (it is 1 at the end).

I'll attach a CRL that can be used. 
Using NSS_3_8_RTM, NSPR_4_3_RTM

Use the following procedure to reproduce problem.

certutil -N -d .
crlutil -I -i crl.der -d . -B (check ret code "echo $?" - 0)
crlutil -I -i crl.der -d . -B (check ret code "echo $?" - 1)

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Tej Arora]

Attachment: DER CRL for reproducing the problem

DER CRL for reproducing the problem

Comment 2

[Wan-Teh Chang]

Attachment: Proposed patch

The actual fix for the bug Tej reported is in crl.c,
where we should not obtain a slot reference because
PK11_FindCrlByName already obtained a slot reference.

The changes to pk11cert.c are mostly code cleanup: I
handle the failure of PORT_Strdup and set *url to NULL
if crl->url is NULL.  I also fixed a slot reference
leak if the SECITEM_AllocItem call fails.  We should
obtain a slot reference only when the PK11_FindCrlByName
function returns successfully.

Tej, could you verify that this patch fixes the bug?
Nelson, could you review this patch?

Comment 3

[Tej Arora]

verified that the patch fixes the problem

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 126955 [details] [diff] [review]
Proposed patch

r=nelsonb

Comment 5

[Wan-Teh Chang]

Fix checked into the NSS trunk (NSS 3.9).

Since the bug prevents user profile switching in NSS-based
client applications, I also checked in the fix on the
NSS_3_8_BRANCH (NSS 3.8.2) and NSS_CLIENT_TAG (Mozilla 1.5a).