M094 crash [@ GetOCSPResponders]

VERIFIED FIXED in psm2.1

Status

Core Graveyard
Security: UI
P1
critical
VERIFIED FIXED
17 years ago
2 years ago

People

(Reporter: jay, Assigned: David P. Drinan)

Tracking

({crash, topcrash})

1.0 Branch
psm2.1
x86
Windows NT
crash, topcrash

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: has-review, has-super-review,PDT+, crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

17 years ago
Not sure if this is really a security bug or a psm bug or something else, but it
is a topcrasher with Mozilla 0.9.4.  Here is the latest info from Talkback
topcrash reports:

GetOCSPResponders   65 
BBID range: 35401624 - 35502866
Min/Max Seconds since last crash: 8 - 62105
Min/Max Runtime: 15 - 62265
Crash data range: 2001-09-14 to 2001-09-17
Build ID range: 2001091311 to 2001091311

Stack Trace: 

	 GetOCSPResponders
[d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsNSSCertificate.cpp  line
3278]
	 nsOCSPResponder::CompareEntries
[d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsNSSCertificate.cpp  line
3262]
	 nsGenericFactory::CreateInstance
[d:\builds\seamonkey\mozilla\xpcom\components\nsGenericFactory.cpp  line 62]
	 nsComponentManagerImpl::CreateInstance
[d:\builds\seamonkey\mozilla\xpcom\components\nsComponentManager.cpp  line 1285]
	 nsComponentManager::CreateInstance
[d:\builds\seamonkey\mozilla\xpcom\components\nsRepository.cpp  line 82]
	 nsServiceManagerImpl::GetService
[d:\builds\seamonkey\mozilla\xpcom\components\nsServiceManager.cpp  line 345]
	 nsServiceManager::GetService
[d:\builds\seamonkey\mozilla\xpcom\components\nsServiceManager.cpp  line 560]
	 nsGetServiceByCID::operator()
[d:\builds\seamonkey\mozilla\xpcom\components\nsServiceManager.cpp  line 48]
	 nsCOMPtr_base::assign_from_helper
[d:\builds\seamonkey\mozilla\xpcom\base\nsCOMPtr.cpp  line 66]
	 nsFormFrame::OnSubmit
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormFrame.cpp  line 708]
	 nsHTMLFormElement::DoSubmitOrReset
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLFormElement.cpp 
line 518]
	 nsHTMLFormElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLFormElement.cpp 
line 462]
	 PresShell::HandleDOMEventWithTarget
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5708]
	 nsFormControlHelper::DoManualSubmitOrReset
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormControlHelper.cpp  line
1002]
	 nsImageControlFrame::MouseClicked
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsImageControlFrame.cpp  line
463]
	 nsHTMLInputElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp 
line 1265]
	 PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5660]
	 PresShell::HandleEventWithTarget
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5630]
	 nsEventStateManager::CheckForAndDispatchClick
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp  line 2466]
	 nsEventStateManager::PostHandleEvent
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp  line 1552]
	 PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5681]
	 PresShell::HandleEvent
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 5585]
	 nsView::HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp  line 377]
	 nsViewManager::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp  line 2058]
	 HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp  line 68]
	 nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 732]
	 nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 749]
	 nsWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 4264]
	 ChildWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 4514]
	 nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 3251]
	 nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp  line 997]
	 KERNEL32.DLL + 0x363b (0xbff7363b)
	 KERNEL32.DLL + 0x24407 (0xbff94407)
	 0x00688b62
 
 	Source File :
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSCertificate.cpp
line : 3278
     (35492170)	URL: www.dell.fr
(35492170)
Comments: Simply open a list of options
     (35491369)	URL: http://www.dvdinside.de/dvd-inside/
(35491369)
Comments: - i clicked on the link "Preissuche"- i entered a title in the
searchfield of the form "Verschollen"- i clicked on "Suche starten"****Error
     (35488097)	Comments: query bugs about mozilla-mail on mozilla.org
     (35487801)	URL: http://www.useit.com/
(35487801)
Comments: clicking the search button.having checked with one other form  i get
the impression that this crash will occur on any form submission to any site.
     (35487137)	URL: http://www.livejournal.com/login.bml
(35487137)
Comments: submitted form with livejournal.com username and password
     (35486565)	Comments: clicking on a link www.heise.de "ilink" Montorit is the first crash...
     (35465925)	Comments: It crashes after any form submission (both POST and GET)  had no
problems with Mozilla 0.9.3
     (35464358)	URL: www.google.ca
(35464125)
URL: www.chalktv.com
(35457987)
URL: http://komodo.mozilla.org/buster
(35457511)
URL: www.chalktv.com
(35457449)
URL: www.chalktv.com
(35456977)
URL: www.x.themes.org
(35440169)
URL: www.google.com
(35440169)
Comments: typed in text and clicked on search
     (35431927)	URL: mail.yahoo.com
     (35431927)	Comments: Attempting to login with password.  This version consistently
crashes whenever submitting form information.
     (35425112)	URL: www.google.com
(35425112)
Comments: starting a search in a new window
     (35420848)	URL: www.hotmail.com
(35420848)
Comments: I put in my user name and password  clicked "submit" (or whatever the
button is)  and it crashed.  This immediately after installing .9.4 over .9.3.
     (35414218)	URL: http://www.whowhere.com
(35409541)
Comments: I can't seem to submit any form information via http post.  I've tried
this on several sites now.  I'm going to try uninstalling mozilla entirely and
re-install .9.4 from scratch rather than over .9.3.
     (35407404)	Comments: I pressed a a submit button..  [:(] 
(35407349)
Comments: If I click *any* submit button on *any* HTML page  Mozilla
0.94crashes.  [:(] 
(35406665)
URL: www.sf.net
(35406665)
Comments: tried to do a search at this site
     (35404852)	Comments: I was accessing a drop-down box.
     (35402987)	URL: http://www.slashdot.org/
(35402987)
Comments: I was on the slashdot site logged in under my user account.  I was
looking at the main page.1. I clicked on one of the links to view the comments
of a particular article (under the article it says 2 of 93 comments--i clicked
on the 93).  2. While
     (35402987)	Comments:  the page was loading  I realized I wanted to see the comments at
-1 flat--not -1 threaded.  So i changed the dropdown from threaded to flat and
clicked submit on the page that was loading.  3. Then it crashed.I can reproduce
the problem following
     (35402987)	Comments:  these steps regularly.
     (35401760)	URL: www.google.com
(35401760)
Comments: selected the url from the quick dropdown list


It is happening across all Win32 platforms.
(Reporter)

Comment 1

17 years ago
Adding crash, topcrash keywords and M094 [@ GetOCSPResponders] to summary for
tracking.
Keywords: crash, topcrash

Comment 2

17 years ago
if the crash is in 
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSCertificate.cpp
then this is a ddrianan javi mcgreer bug...

 

3268 ddrinan   1.23 {
3269                  nsISupportsArray *array =
NS_STATIC_CAST(nsISupportsArray*, aArg);
3270                  PRUnichar* nn = nsnull;
3271                  PRUnichar* url = nsnull;
3272                  char *serviceURL = nsnull;
3273                  char *nickname = nsnull;
3274                  PRUint32 i, count;
3275                  nsresult rv;
3276                
3277                  // Are we interested in this cert //
3278                  if (!nsOCSPResponder::IncludeCert(aCert)) {
3279                    return SECSuccess;
3280                  }
3281                
3282                  // Get the AIA and nickname //
3283                  serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert);
3284                  if (serviceURL) {
3285                	url = NS_ConvertASCIItoUCS2(serviceURL).ToNewUnicode();
3286                  }
3287                
3288                  nickname = aCert->nickname;
3289 ddrinan   1.23 nn = NS_ConvertASCIItoUCS2(nickname).ToNewUnicode();
3290                
3291                  nsCOMPtr<nsIOCSPResponder> new_entry = new
nsOCSPResponder(nn, url);
3292                

Assignee: mstoltz → ddrinan

Comment 3

17 years ago
over to PSM
Component: Security: General → Client Library
Product: Browser → PSM
Target Milestone: --- → 2.1
Version: other → 2.1

Comment 4

17 years ago
P1 as per topcrash reports.
Priority: -- → P1
(Assignee)

Comment 5

17 years ago
Created attachment 49964 [details] [diff] [review]
Patch to check that trust pointer is non-null.
(Assignee)

Comment 6

17 years ago
I examined the area of code where the topcrash indicates the crash occured. I
noticed that the trust pointer we get back from the cert is not checked. This
may be the problem if the user has a cert database with badly formed CA certs.
The above patch verifies that the trust pointer is non-null before using it.

Comment 7

17 years ago
r=rangansen

Updated

17 years ago
Whiteboard: has-review

Comment 8

17 years ago
added has-review in status.
Sent email to reviewers@mozilla.org:
   The bug is a top crash on the 094 branch. David Drinan has investigated the
problem, which has not been successfully reproduced, and only found one place
where defensive coding can be added in case the content of a user cert database
is corrupted or contained malformed Certitficate Authority certificates.

    The fix does not push the crash to another part of the application as the
only effect of checking for the null pointer is to omit such a malformed
certficate from a list to be considered for further processing.

Comment 9

17 years ago
adding patch, review
Keywords: patch, review

Comment 10

17 years ago
Comment on attachment 49964 [details] [diff] [review]
Patch to check that trust pointer is non-null.

sr=kin@netscape.com

Do we want to add an assertion to flag when/if this happens? Or would that not be helpful?

Comment 11

17 years ago
Comment on attachment 49964 [details] [diff] [review]
Patch to check that trust pointer is non-null.

has-review

Comment 12

17 years ago
David will add the assert.  The main value of the assert would be to identify a
bad database which we would want to dissect.
Whiteboard: has-review → has-review, has-super-review
(Assignee)

Comment 13

17 years ago
Created attachment 50183 [details] [diff] [review]
Updated patch with assert added.

Comment 14

17 years ago
Comment on attachment 49964 [details] [diff] [review]
Patch to check that trust pointer is non-null.

Obsoleting the fist patch.
Attachment #49964 - Attachment is obsolete: true
Attachment #49964 - Flags: superreview+
Attachment #49964 - Flags: review+

Comment 15

17 years ago
Comment on attachment 50183 [details] [diff] [review]
Updated patch with assert added.

sr=kin@netscape.com
Attachment #50183 - Flags: superreview+

Comment 16

17 years ago
Comment on attachment 50183 [details] [diff] [review]
Updated patch with assert added.

r=rangansen
Attachment #50183 - Flags: review+

Comment 17

17 years ago
check it in - PDT+
Whiteboard: has-review, has-super-review → has-review, has-super-review,PDT+
(Assignee)

Comment 18

17 years ago
Patch checked into trunk and branch. Since we are not sure that this fixes the
problem, verification of this fix should include analysis of talkback reports
for builds that have this patch.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Updated

17 years ago
QA Contact: bsharma → junruh

Comment 19

17 years ago
Verified. No similar stack signatures since 9/16.
Status: RESOLVED → VERIFIED

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

10 years ago
Version: psm2.1 → 1.0 Branch
Crash Signature: [@ GetOCSPResponders]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.