176667 - Memory leak in CERT_FindCertIssuer

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Kai Engert (:KaiE:)]

Reproduce using the procedure in bug 176666.

Function CERT_FindCertIssuer creates a leak for some certificates only.
For example, if the certdb contains a permanent copy of the cert from
https://www.kuix.de, after a call to CERT_FindCertIssuer, the passed in cert has
a reference count increased by one.

The cause is: Even if no issuer is found, NSSCertificate_BuildChain returns a
chain with the original in it. However, CERT_FindCertIssuer does not free this
reference and returns NULL.

The fix is to add
  if (chain[0]) {
    CERT_DestroyCertificate(cert);
  }
just in front of
  PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);

Comment 1

[Kai Engert (:KaiE:)]

The described change fixes bug 176666.

Comment 2

[Wan-Teh Chang]

Assigned the bug to Bob.

Kai, this is the current NSS_CLIENT_TAG, not the
MOZILLA_1_0_BRANCH, right?

Comment 3

[Ian McGreer]

Attachment: free cert on error path

Good catch, Kai.  I went ahead and made the patch.

Comment 4

[Kai Engert (:KaiE:)]

> this is the current NSS_CLIENT_TAG, not the MOZILLA_1_0_BRANCH, right

Yes, I saw the bug on the NSS_CLIENT_TAG.
But I guess it is in MOZILLA_1_0_BRANCH, too.

Comment 5

[Kai Engert (:KaiE:)]

Comment on attachment 104151 [details] [diff] [review]
free cert on error path

r=kaie

Comment 6

[Wan-Teh Chang]

Set the version to 3.6 (the current NSS_CLIENT_TAG).
If we verify the bug is also in the MOZILLA_1_0_BRANCH,
the version should be changed to 3.5.

Comment 7

[Kai Engert (:KaiE:)]

I can see the same code on the 1.0 branch, setting version as suggested.

The patch works for me, please land it on the NSS_3_6_BRANCH.
Thanks.

Comment 8

[Robert Relyea]

This patch has now been checked into the tip. It has not been checked into the
3.6 or 3.5 branches.

Comment 9

[Wan-Teh Chang]

The patch has been checked into the 3.6 branch.
Set the target milestone to 3.6.1 and marked the
bug fixed.