Closed
Bug 100213
Opened 23 years ago
Closed 23 years ago
M094 crash [@ GetOCSPResponders]
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.1
People
(Reporter: jay, Assigned: ddrinan0264)
Details
(Keywords: crash, topcrash, Whiteboard: has-review, has-super-review,PDT+)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
746 bytes,
patch
|
rangansen
:
review+
kinmoz
:
superreview+
|
Details | Diff | Splinter Review |
Not sure if this is really a security bug or a psm bug or something else, but it is a topcrasher with Mozilla 0.9.4. Here is the latest info from Talkback topcrash reports: GetOCSPResponders 65 BBID range: 35401624 - 35502866 Min/Max Seconds since last crash: 8 - 62105 Min/Max Runtime: 15 - 62265 Crash data range: 2001-09-14 to 2001-09-17 Build ID range: 2001091311 to 2001091311 Stack Trace: GetOCSPResponders [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsNSSCertificate.cpp line 3278] nsOCSPResponder::CompareEntries [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsNSSCertificate.cpp line 3262] nsGenericFactory::CreateInstance [d:\builds\seamonkey\mozilla\xpcom\components\nsGenericFactory.cpp line 62] nsComponentManagerImpl::CreateInstance [d:\builds\seamonkey\mozilla\xpcom\components\nsComponentManager.cpp line 1285] nsComponentManager::CreateInstance [d:\builds\seamonkey\mozilla\xpcom\components\nsRepository.cpp line 82] nsServiceManagerImpl::GetService [d:\builds\seamonkey\mozilla\xpcom\components\nsServiceManager.cpp line 345] nsServiceManager::GetService [d:\builds\seamonkey\mozilla\xpcom\components\nsServiceManager.cpp line 560] nsGetServiceByCID::operator() [d:\builds\seamonkey\mozilla\xpcom\components\nsServiceManager.cpp line 48] nsCOMPtr_base::assign_from_helper [d:\builds\seamonkey\mozilla\xpcom\base\nsCOMPtr.cpp line 66] nsFormFrame::OnSubmit [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormFrame.cpp line 708] nsHTMLFormElement::DoSubmitOrReset [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLFormElement.cpp line 518] nsHTMLFormElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLFormElement.cpp line 462] PresShell::HandleDOMEventWithTarget [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5708] nsFormControlHelper::DoManualSubmitOrReset [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormControlHelper.cpp line 1002] nsImageControlFrame::MouseClicked [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsImageControlFrame.cpp line 463] nsHTMLInputElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp line 1265] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5660] PresShell::HandleEventWithTarget [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5630] nsEventStateManager::CheckForAndDispatchClick [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp line 2466] nsEventStateManager::PostHandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp line 1552] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5681] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5585] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 377] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp line 2058] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 68] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 732] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 749] nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4264] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4514] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 3251] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 997] KERNEL32.DLL + 0x363b (0xbff7363b) KERNEL32.DLL + 0x24407 (0xbff94407) 0x00688b62 Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSCertificate.cpp line : 3278 (35492170) URL: www.dell.fr (35492170) Comments: Simply open a list of options (35491369) URL: http://www.dvdinside.de/dvd-inside/ (35491369) Comments: - i clicked on the link "Preissuche"- i entered a title in the searchfield of the form "Verschollen"- i clicked on "Suche starten"****Error (35488097) Comments: query bugs about mozilla-mail on mozilla.org (35487801) URL: http://www.useit.com/ (35487801) Comments: clicking the search button.having checked with one other form i get the impression that this crash will occur on any form submission to any site. (35487137) URL: http://www.livejournal.com/login.bml (35487137) Comments: submitted form with livejournal.com username and password (35486565) Comments: clicking on a link www.heise.de "ilink" Montorit is the first crash... (35465925) Comments: It crashes after any form submission (both POST and GET) had no problems with Mozilla 0.9.3 (35464358) URL: www.google.ca (35464125) URL: www.chalktv.com (35457987) URL: http://komodo.mozilla.org/buster (35457511) URL: www.chalktv.com (35457449) URL: www.chalktv.com (35456977) URL: www.x.themes.org (35440169) URL: www.google.com (35440169) Comments: typed in text and clicked on search (35431927) URL: mail.yahoo.com (35431927) Comments: Attempting to login with password. This version consistently crashes whenever submitting form information. (35425112) URL: www.google.com (35425112) Comments: starting a search in a new window (35420848) URL: www.hotmail.com (35420848) Comments: I put in my user name and password clicked "submit" (or whatever the button is) and it crashed. This immediately after installing .9.4 over .9.3. (35414218) URL: http://www.whowhere.com (35409541) Comments: I can't seem to submit any form information via http post. I've tried this on several sites now. I'm going to try uninstalling mozilla entirely and re-install .9.4 from scratch rather than over .9.3. (35407404) Comments: I pressed a a submit button.. [:(] (35407349) Comments: If I click *any* submit button on *any* HTML page Mozilla 0.94crashes. [:(] (35406665) URL: www.sf.net (35406665) Comments: tried to do a search at this site (35404852) Comments: I was accessing a drop-down box. (35402987) URL: http://www.slashdot.org/ (35402987) Comments: I was on the slashdot site logged in under my user account. I was looking at the main page.1. I clicked on one of the links to view the comments of a particular article (under the article it says 2 of 93 comments--i clicked on the 93). 2. While (35402987) Comments: the page was loading I realized I wanted to see the comments at -1 flat--not -1 threaded. So i changed the dropdown from threaded to flat and clicked submit on the page that was loading. 3. Then it crashed.I can reproduce the problem following (35402987) Comments: these steps regularly. (35401760) URL: www.google.com (35401760) Comments: selected the url from the quick dropdown list It is happening across all Win32 platforms.
|
Reporter | |
Comment 1•23 years ago
|
||
Adding crash, topcrash keywords and M094 [@ GetOCSPResponders] to summary for tracking.
|
||
Comment 2•23 years ago
|
||
if the crash is in http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSCertificate.cpp then this is a ddrianan javi mcgreer bug... 3268 ddrinan 1.23 { 3269 nsISupportsArray *array = NS_STATIC_CAST(nsISupportsArray*, aArg); 3270 PRUnichar* nn = nsnull; 3271 PRUnichar* url = nsnull; 3272 char *serviceURL = nsnull; 3273 char *nickname = nsnull; 3274 PRUint32 i, count; 3275 nsresult rv; 3276 3277 // Are we interested in this cert // 3278 if (!nsOCSPResponder::IncludeCert(aCert)) { 3279 return SECSuccess; 3280 } 3281 3282 // Get the AIA and nickname // 3283 serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert); 3284 if (serviceURL) { 3285 url = NS_ConvertASCIItoUCS2(serviceURL).ToNewUnicode(); 3286 } 3287 3288 nickname = aCert->nickname; 3289 ddrinan 1.23 nn = NS_ConvertASCIItoUCS2(nickname).ToNewUnicode(); 3290 3291 nsCOMPtr<nsIOCSPResponder> new_entry = new nsOCSPResponder(nn, url); 3292
Assignee: mstoltz → ddrinan
|
||
Comment 3•23 years ago
|
||
over to PSM
Component: Security: General → Client Library
Product: Browser → PSM
Target Milestone: --- → 2.1
Version: other → 2.1
|
Assignee | |
Comment 5•23 years ago
|
||
|
|
Assignee | |
Comment 6•23 years ago
|
||
I examined the area of code where the topcrash indicates the crash occured. I noticed that the trust pointer we get back from the cert is not checked. This may be the problem if the user has a cert database with badly formed CA certs. The above patch verifies that the trust pointer is non-null before using it.
|
||
Comment 7•23 years ago
|
||
r=rangansen
|
|
||
Updated•23 years ago
|
Whiteboard: has-review
|
|
||
Comment 8•23 years ago
|
||
added has-review in status. Sent email to reviewers@mozilla.org: The bug is a top crash on the 094 branch. David Drinan has investigated the problem, which has not been successfully reproduced, and only found one place where defensive coding can be added in case the content of a user cert database is corrupted or contained malformed Certitficate Authority certificates. The fix does not push the crash to another part of the application as the only effect of checking for the null pointer is to omit such a malformed certficate from a list to be considered for further processing.
|
||
Comment 10•23 years ago
|
||
Comment on attachment 49964 [details] [diff] [review] Patch to check that trust pointer is non-null. sr=kin@netscape.com Do we want to add an assertion to flag when/if this happens? Or would that not be helpful?
|
|
||
Comment 11•23 years ago
|
||
Comment on attachment 49964 [details] [diff] [review] Patch to check that trust pointer is non-null. has-review
|
|
||
Comment 12•23 years ago
|
||
David will add the assert. The main value of the assert would be to identify a bad database which we would want to dissect.
Whiteboard: has-review → has-review, has-super-review
|
|
Assignee | |
Comment 13•23 years ago
|
||
|
|
||
Comment 14•23 years ago
|
||
Comment on attachment 49964 [details] [diff] [review] Patch to check that trust pointer is non-null. Obsoleting the fist patch.
Attachment #49964 -
Attachment is obsolete: true
Attachment #49964 -
Flags: superreview+
Attachment #49964 -
Flags: review+
|
|
||
Comment 15•23 years ago
|
||
Comment on attachment 50183 [details] [diff] [review] Updated patch with assert added. sr=kin@netscape.com
Attachment #50183 -
Flags: superreview+
|
|
||
Comment 16•23 years ago
|
||
Comment on attachment 50183 [details] [diff] [review] Updated patch with assert added. r=rangansen
Attachment #50183 -
Flags: review+
|
||
Comment 17•23 years ago
|
||
check it in - PDT+
Whiteboard: has-review, has-super-review → has-review, has-super-review,PDT+
|
|
Assignee | |
Comment 18•23 years ago
|
||
Patch checked into trunk and branch. Since we are not sure that this fixes the problem, verification of this fix should include analysis of talkback reports for builds that have this patch.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
||
Updated•23 years ago
|
QA Contact: bsharma → junruh
|
|
||
Comment 19•23 years ago
|
||
Verified. No similar stack signatures since 9/16.
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Crash Signature: [@ GetOCSPResponders]
|
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•