Closed
Bug 185245
Opened 22 years ago
Closed 21 years ago
DecodeDBSubjectEntry needs to protect against reading beyond the end of the dbentry
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.8
People
(Reporter: wtc, Assigned: rrelyea)
Details
Attachments
(1 file)
871 bytes,
patch
|
wtc
:
review-
|
Details | Diff | Splinter Review |
In lib/softoken/pcertdb.c, function DecodeDBSubjectEntry, there is no protection against reading beyond the end of the dbentry. Therefore, the code is likely to crash if the data in the dbentry is corrupted. Throughout the function, we should check that the offset of the data we want to read is less than dbentry->len before we read it.
Assignee | ||
Comment 2•22 years ago
|
||
Don't read beyond the database buffer, even if the record has been corrrupted.
Assignee | ||
Updated•22 years ago
|
Attachment #115944 -
Flags: superreview?(jpierre)
Attachment #115944 -
Flags: review?(wtc)
Reporter | ||
Comment 3•21 years ago
|
||
Comment on attachment 115944 [details] [diff] [review] Check the length validity before we try to reference it. > for (i=0; i < entry->nemailAddrs; i++) { >- int nameLen = tmpbuf[0] << 8 | tmpbuf[1]; >+ int nameLen; >+ if (tmpbuf + 2 >= end) { >+ goto loser; >+ } This check should say "tmpbuf +1 >= end" or "tmpbuf +2 > end".
Attachment #115944 -
Flags: review?(wtc) → review-
Assignee | ||
Comment 4•21 years ago
|
||
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Updated•21 years ago
|
Attachment #115944 -
Flags: superreview?(jpierre)
You need to log in
before you can comment on or make changes to this bug.
Description
•