Closed Bug 185245 Opened 22 years ago Closed 21 years ago

DecodeDBSubjectEntry needs to protect against reading beyond the end of the dbentry

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wtc, Assigned: rrelyea)

Details

Attachments

(1 file)

Check the length validity before we try to reference it.
871 bytes, patch
wtc
: review-
Details | Diff | Splinter Review 
In lib/softoken/pcertdb.c, function DecodeDBSubjectEntry,
there is no protection against reading beyond the end of
the dbentry.  Therefore, the code is likely to crash if
the data in the dbentry is corrupted.

Throughout the function, we should check that the offset
of the data we want to read is less than dbentry->len
before we read it.
Needs to be fixed in NSS 3.8.
Target Milestone: --- → 3.8
Don't read beyond the database buffer, even if the record has been corrrupted.
Attachment #115944 - Flags: superreview?(jpierre)
Attachment #115944 - Flags: review?(wtc)
Comment on attachment 115944 [details] [diff] [review]
Check the length validity before we try to reference it.

> 	for (i=0; i < entry->nemailAddrs; i++) {
>-	    int nameLen = tmpbuf[0] << 8 | tmpbuf[1];
>+	    int nameLen;
>+	    if (tmpbuf + 2 >= end) {
>+		goto loser;
>+	    }

This check should say "tmpbuf +1 >= end" or "tmpbuf +2 > end".
Attachment #115944 - Flags: review?(wtc) → review-
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Attachment #115944 - Flags: superreview?(jpierre)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: