Open Bug 1130847 Opened 9 years ago Updated 6 months ago

bltest calls free on uninitalized object when passing a wrong command line

Categories

(NSS :: Tools, defect, P5)

Product:
NSS
Component:
Tools
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

People

(Reporter: hanno, Unassigned)

Details

Attachments

(2 files)

nss-blapi-fix-invalid-free.diff
617 bytes, patch
Details | Diff | Splinter Review
address sanitizer error message
708 bytes, text/plain
Details 
I noticed an invalid free operation in bltest when trying to compile nss with asan.

Before cipherInfo gets initialized in line 3512 there is a check in line 3506 whether the command line parsing function returned an error. On error it does a "goto print_usage".

After the print_usage label there's a free of cipherInfo in line 3716:
PORT_Free(cipherInfo);

In case of a malformed command line this call will be reached, while cipherInfo is not initialized yet. Compiling nss with asan or running it through valgrind will show errors when you try to do something like "bltest --h", which is not detected as a valid commandline.

There are different ways to fix this, I opted for the easiest: Just initialize cipherInfo before checking the command line for errors. Then it will always be initialized when there's a "goto print_usage", therefore we can always free it.

    
  
Severity: normal → S3
Severity: S3 → S4
Priority: -- → P5

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: