Closed
Bug 1174781
Opened 9 years ago
Closed 9 years ago
PR_GetInheritedFD can use uninitialized variables
Categories
(NSPR :: NSPR, defect, P2)
NSPR
NSPR
Tracking
(Not tracked)
RESOLVED
FIXED
4.10.9
People
(Reporter: q1, Assigned: wtc)
Details
(Keywords: csectype-uninitialized)
Attachments
(1 file)
935 bytes,
patch
|
ted
:
review+
q1
:
feedback+
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
PR_GetInheritedFD (38.0.1\nsprpub\pr\src\misc\prinit.c line 624) fails to check the return value from PR_sscanf, but still uses the resulting uninitialized variables: 631: PROsfd osfd; 632: int nColons; 633: PRIntn fileType; ... 645: PR_sscanf(ptr, "%d:0x%" PR_SCNxOSFD, &fileType, &osfd); 646: switch ((PRDescType)fileType) { 647: case PR_DESC_FILE: 648: fd = PR_ImportFile(osfd); 649: break; ... ... // more of the same As far as I can tell, PR_GetInheritedFD presently is called only from test code and a standalone utility: 38.0.1\nsprpub\pr\tests\pipepong2.c(37): pipe_read = PR_GetInheritedFD("PIPE_READ"); 38.0.1\nsprpub\pr\tests\pipepong2.c(39): fprintf(stderr, "PR_GetInheritedFD failed\n"); 38.0.1\nsprpub\pr\tests\pipepong2.c(47): pipe_write = PR_GetInheritedFD("PIPE_WRITE"); 38.0.1\nsprpub\pr\tests\pipepong2.c(49): fprintf(stderr, "PR_GetInheritedFD failed\n"); 38.0.1\nsprpub\pr\tests\sockpong.c(37): sock = PR_GetInheritedFD("SOCKET"); 38.0.1\nsprpub\pr\tests\sockpong.c(39): fprintf(stderr, "PR_GetInheritedFD failed\n"); 38.0.1\security\nss\cmd\selfserv\selfserv.c(2411): listen_sock = PR_GetInheritedFD(inheritableSockName); 38.0.1\security\nss\cmd\selfserv\selfserv.c(2413): errExit("PR_GetInheritedFD"); so I guess that this bug doesn't presently cause an important security problem.
Comment 1•9 years ago
|
||
This is only used in the selfserv command-line utility in NSS, not part of Firefox.
Assignee: nobody → wtc
Group: core-security
Component: Untriaged → NSPR
Keywords: csectype-uninitialized
Product: Firefox → NSPR
Version: 38 Branch → other
Assignee | ||
Comment 2•9 years ago
|
||
q1: thank you very much for the bug report. Please test and review this patch. Kai: PR_sscanf returns the number of values converted from the input. We want to convert two values in this PR_sscanf call, so I compare its return value with 2. On error, I am just using the same error reporting code used by this function, which sets a useless error code (PR_UNKNOWN_ERROR) and returns NULL.
Attachment #8624864 -
Flags: review?(kaie)
Attachment #8624864 -
Flags: feedback?(q1)
Assignee | ||
Updated•9 years ago
|
Status: NEW → ASSIGNED
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
Target Milestone: --- → 4.10.9
(In reply to Wan-Teh Chang from comment #2) > Created attachment 8624864 [details] [diff] [review] > Proposed patch: check the return value of PR_sscanf > > q1: thank you very much for the bug report. Please test > and review this patch. The patch looks correct. I don't have a testbench setup, so I haven't tested it.
Comment on attachment 8624864 [details] [diff] [review] Proposed patch: check the return value of PR_sscanf Review of attachment 8624864 [details] [diff] [review]: ----------------------------------------------------------------- I didn't notice this tool at first. The patch looks OK. I don't have a testbench setup, so I haven't tested it.
Assignee | ||
Comment 6•9 years ago
|
||
q1: click the "Review" link to the right of the attachment named "Proposed patch: check the return value of PR_sscanf". For your convenience, you can reach there with this link: https://bugzilla.mozilla.org/page.cgi?id=splinter.html&bug=1174781&attachment=8624864 Then, change the '?' for feedback to a space (which cancels/clears the feedback request), '+' (which indicates your approval), or '-' (which indicates your disapproval). You can add an optional comment in the text field. Then Click the "Publish" button.
Attachment #8624864 -
Flags: feedback?(q1) → feedback+
Assignee | ||
Comment 8•9 years ago
|
||
Comment on attachment 8624864 [details] [diff] [review] Proposed patch: check the return value of PR_sscanf Kai, Ted: please review this patch. Thanks.
Attachment #8624864 -
Flags: review?(ted)
Updated•9 years ago
|
Attachment #8624864 -
Flags: review?(ted) → review+
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8624864 [details] [diff] [review] Proposed patch: check the return value of PR_sscanf https://hg.mozilla.org/projects/nspr/rev/e2177b7f79f5
Attachment #8624864 -
Flags: checked-in+
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Attachment #8624864 -
Flags: review?(kaie)
You need to log in
before you can comment on or make changes to this bug.
Description
•