174468 - PK11_TokenKeyGen's attribute template is too small

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Jamie Nicolson]

The PKCS #11 attribute template in PK11_TokenKeyGen is allocated with 5
elements. It is possible, however, to generate 6 attributes, depending on the
parameters passed in. In this case, the buffer will overflow, and an assertion
will be triggered in debug builds.

The reason this worked before is we used this function with DES and triple-DES,
which don't have a keySize. So that attribute is not added to the template. To
create an AES key, I passed in a keySize of 128, which caused that attribute to
be added to the template, overflowing the buffer.

I'll try to find a workaround for this, but Some People want to be able to
generate AES keys.

Comment 1

[Wan-Teh Chang]

Jamie, do you have a workaround now?  If you don't have
a workaround, it seems that you need a fix sooner than
NSS 3.7, correct?

Comment 2

[Jamie Nicolson]

Our customer can continue using DES3 for a while, so we can wait until 3.7 to
fix this.

Comment 3

[Robert Relyea]

Attachment: Increase array size to match largest possible case.

Good catch. Debug builds will catch the case if the arrays are too small, but
Optimize builds won't.

Comment 4

[Jamie Nicolson]

Comment on attachment 103912 [details] [diff] [review]
Increase array size to match largest possible case.

This fix looks good.

Comment 5

[Wan-Teh Chang]

Comment on attachment 103912 [details] [diff] [review]
Increase array size to match largest possible case.

r=wtc.

By the way, the initial value of 'count' is unused.
We might as well delete the initialization.

Comment 6

[Robert Relyea]

patch checked in.

Comment 7

[Robert Relyea]

checked into tip.