Closed Bug 31049 Opened 25 years ago Closed 25 years ago

PR_Accept crashes if the listening socket is an emulated IPv6 socket and 'addr' is NULL.

Categories

(NSPR :: NSPR, defect, P3)

Product:
NSPR
Component:
NSPR
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

(Keywords: crash)

Attachments

(1 file)

Proposed patch.
1.07 KB, patch
Details | Diff | Splinter Review
PR_Accept crashes dereferencing a NULL pointer if the listening socket is an emulated IPv6 socket and the 'addr' argument is NULL. Here is the stack trace: _PR_ConvertToIpv6NetAddr(const PRNetAddr * 0x0012fedc, PRNetAddr * 0x00000000) line 66 + 3 bytes Ipv6ToIpv4SocketAccept(PRFileDesc * 0x007d2ba0, PRNetAddr * 0x00000000, unsigned int 4294967295) line 170 + 13 bytes PR_Accept(PRFileDesc * 0x007d2ba0, PRNetAddr * 0x00000000, unsigned int 4294967295) line 172 + 20 bytes main() line 63 + 14 bytes GENSERVER! mainCRTStartup + 227 bytes KERNEL32! 77f1ba3c() The line that dereferences a NULL pointer (dst_v6addr) is: static void _PR_ConvertToIpv6NetAddr(const PRNetAddr *src_v4addr, PRNetAddr *dst_v6addr) { PRUint8 *dstp; PR_ASSERT(PR_AF_INET == src_v4addr->inet.family); dst_v6addr->ipv6.family = PR_AF_INET6; <===== CRASH dst_v6addr->ipv6.port = src_v4addr->inet.port; if (htonl(INADDR_ANY) == src_v4addr->inet.ip) { dst_v6addr->ipv6.ip = _pr_in6addr_any; } else { dstp = dst_v6addr->ipv6.ip.pr_s6_addr; memset(dstp, 0, 10); memset(dstp + 10, 0xff, 2); memcpy(dstp + 12,(char *) &src_v4addr->inet.ip, 4); } }
Attached patch Proposed patch.Splinter Review
I suggest that this fix be checked in on the 4.0 release branch so that it will be included in the 4.0.1 patch (if we decide to do 4.0.1).
Status: NEW → ASSIGNED
The fix was checked in on the main trunk. /cvsroot/mozilla/nsprpub/pr/src/io/pripv6.c, revision 3.4 The socket.c test was modified to pass both null and non-null 'addr' argument to PR_Accept to catch this bug. /cvsroot/mozilla/nsprpub/pr/tests/socket.c, revision 3.14
Keywords: crash
Checked in the patch on the NSPRPUB_RELEASE_4_0_BRANCH. /cvsroot/mozilla/nsprpub/pr/src/io/pripv6.c, revision 3.2.58.9 Will check in the patch on the NSPRPUB_CLIENT_BRANCH (which the mozilla client pulls) when the mozilla tree reopens.
Checked in the fix on the NSPRPUB_CLIENT_BRANCH. /cvsroot/mozilla/nsprpub/pr/src/io/pripv6.c, revision 3.3.2.1
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.0.1
Target Milestone: 4.0.1 → 4.0.2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: