Closed Bug 351140 Opened 18 years ago Closed 18 years ago

Coverity 995, potential crash in ecgroup_fromNameAndHex

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.11
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: sciguyryan)

References

(
URL
)

Details

(Keywords: coverity, Whiteboard: [CID 995])

Attachments

(1 file, 2 obsolete files)

Combined patch
932 bytes, patch
Details | Diff | Splinter Review 
In function ecgroup_fromNameAndHex, there is a large if/then/else/if/then 
statement that deals with two cases, params->field == ECField_GFp and
params->field == ECField_GF2m.  There is no final "else" case to deal with
the possibility that params->field is not a known value.  

If params->field is not a known value, and params->text != NULL, 
this code will crash, trying to assign the return value from strdup
to group->text, but group will be NULL.

This code has been changed in the last month to fix bug 303116.  
The change did not fix this problem.

I think the fix is this tiny patch:

	/* set name, if any */
-	if (params->text != NULL) {
+	if (group && params->text != NULL) {

I think this can only happen due to a programming error in NSS.
And in the absense of any proof of such a programming error,
I think this fix can wait, potentially a long time, if necessary.
Priority: -- → P3
Whiteboard: [CID 995]
Attached patch Patch v1. (obsolete) — Splinter Review 
Patch v1.

Done as suggested in comment #0.
Assignee: nobody → sciguyryan+bugzilla
Status: NEW → ASSIGNED
Attachment #242658 - Flags: superreview?(wtchang)
Attachment #242658 - Flags: review?(nelson)
Comment on attachment 242658 [details] [diff] [review]
Patch v1.

r=nelson for trunk
Attachment #242658 - Flags: review?(nelson) → review+
Comment on attachment 242658 [details] [diff] [review]
Patch v1.

r=wtc.  This patch will allow the function
to return NULL without crashing.

This function doesn't set any error code right
now.  If we want to set the error code in the
future, we need a patch like what I'm going to
attach next.
Attachment #242658 - Flags: superreview?(wtchang) → superreview+
Attached patch Alternative patch (obsolete) — Splinter Review 
This patch sets 'res' to MP_UNDEF, which could be mapped
to an NSS error code in the future.  With the current code,
'res' could be MP_OKAY if params->field is an invalid value
and everything else in 'params' is good.
Attachment #243258 - Flags: review?(nelson)
Comment on attachment 243258 [details] [diff] [review]
Alternative patch

I vote for committing both of these patches, for belt AND suspenders.
Attachment #243258 - Flags: review?(nelson) → review+
Attached patch Combined patchSplinter Review 
With the alternative patch, you can prove that 'group' cannot
be NULL at that point.  Won't Coverity complain about the
unnecessary group != NULL test?  In any case, I checked this in
on the NSS trunk (NSS 3.12).

Checking in ecl.c;
/cvsroot/mozilla/security/nss/lib/freebl/ecl/ecl.c,v  <--  ecl.c
new revision: 1.12; previous revision: 1.11
done
Attachment #242658 - Attachment is obsolete: true
Attachment #243258 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: