Closed
Bug 1117617
Opened 11 years ago
Closed 11 years ago
Uninitialized return value in nss_dbm_db_set_label()
Categories
(NSS :: Libraries, defect)
Tracking
(firefox37 unaffected, firefox38 unaffected)
RESOLVED
FIXED
3.17.4
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | unaffected |
| firefox38 | --- | unaffected |
People
(Reporter: n.nethercote, Assigned: keeler)
References
Details
(Keywords: csectype-uninitialized, sec-other)
Attachments
(1 file)
|
909 bytes,
patch
|
KaiE
:
review+
|
Details | Diff | Splinter Review |
cppcheck says:
> security/nss/lib/ckfw/dbm/db.c:141: error: Uninitialized variable: rv
As far as I can tell it's correct -- in the first |return| statement |rv| is undefined.
I think it should probably instead be more like nss_dbm_db_delete_object() and return the return value from the failed NSSCKFWMutex_Lock() call.
And someone who understands this code should audit all the other uses of NSSCKFWMutex_Lock() in this file...
- Some of them look ok -- e.g. on lock failure they return NULL or CK_FALSE, which might be ok.
- But nss_dbm_db_new_handle() looks like it doesn't set |*pError| in all the cases it should.
- And nss_dbm_db_get_object_attribute_count() returns 0 instead of |*pError| if locking fails -- and 0 is CKR_OK! Likewise with nss_dbm_db_get_object_attribute_size().
|
Reporter | |
Updated•11 years ago
|
Component: CA Certificates → Libraries
|
||
Updated•11 years ago
|
Keywords: csectype-uninitialized
|
|
Assignee | |
Comment 2•11 years ago
|
||
The other cases looked ok (some of them don't return a CK_RV, and so aren't supposed to be error codes).
Wan-Teh, would you mind having a look? Thanks.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Flags: needinfo?(dkeeler)
Attachment #8548379 -
Flags: review?(wtc)
|
||
Updated•11 years ago
|
|
||
Comment 4•11 years ago
|
||
(In reply to Nicholas Nethercote [:njn] from comment #0)
> - And nss_dbm_db_get_object_attribute_count() returns 0 instead of |*pError|
> if locking fails -- and 0 is CKR_OK! Likewise with
> nss_dbm_db_get_object_attribute_size().
Because they don't return status error type CK_RV, they return a numeric result.
Returning 0 seems to be the right result code for the count/size functions.
The other places that call NSSCKFWMutex_Lock look correct to me, too.
|
|
||
Comment 5•11 years ago
|
||
Comment on attachment 8548379 [details] [diff] [review]
patch
r=kaie
Attachment #8548379 -
Flags: review?(wtc) → review+
|
|
Assignee | |
Comment 6•11 years ago
|
||
(In reply to David Bolter [:davidb] from comment #3)
> David, what is the security severity of this bug?
As far as I can tell, NSSCKFWMutex_Lock never returns anything other than CKR_OK, so this isn't even a security problem with the current code. Still good to fix, though, in case the underlying implementation changes.
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 7•11 years ago
|
||
Kai, would you mind checking this patch in when appropriate? Thanks.
Flags: needinfo?(kaie)
|
|
||
Comment 8•11 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> As far as I can tell, NSSCKFWMutex_Lock never returns anything other than
> CKR_OK, so this isn't even a security problem with the current code. Still
> good to fix, though, in case the underlying implementation changes.
Does that mean we can open up this bug?
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> Kai, would you mind checking this patch in when appropriate? Thanks.
Sure, I'll do. Once I check it in, it's probably no longer of any value to keep this bug security/hidden anyway.
Flags: needinfo?(kaie)
|
|
||
Updated•11 years ago
|
Keywords: checkin-needed
|
|
||
Comment 10•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 3.18
|
||
Comment 12•11 years ago
|
||
Tracking for 37 as well since that is impacted. Kai - do we need a bug for bumping NSS version in FF37 for this and bug 1117621?
tracking-firefox37:
--- → +
Flags: needinfo?(kaie)
|
|
||
Comment 13•11 years ago
|
||
keeler - Can you answer Lukas' question in comment 12?
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 14•11 years ago
|
||
Neither this bug nor bug 1117621 impact the security of Firefox (see comment 6 and bug 1117621 comment 5 for why), so it's not necessary to update NSS in FF37 for these bugs. However, there may be other bugs for which we would need to update. Kai would know the answer to that. I'll specifically ask in this week's NSS meeting if he doesn't respond here before then.
Flags: needinfo?(dkeeler)
|
|
||
Comment 15•11 years ago
|
||
Clearing 37 tracking and status based on comment 14. If there are others bugs that require an NSS update, please nom those bugs for tracking.
tracking-firefox37:
+ → ---
|
|
||
Comment 16•10 years ago
|
||
This bug is fixed in NSS 3.17.4, and Firefox 37 already uses NSS 3.17.4
Flags: needinfo?(kaie)
You need to log in
before you can comment on or make changes to this bug.
Description
•