NSS3.4 build. Client Auth causes a crash

VERIFIED FIXED in psm2.2

Status

Core Graveyard
Security: UI
P1
normal
VERIFIED FIXED
16 years ago
a year ago

People

(Reporter: John Unruh, Assigned: kaie)

Tracking

1.0 Branch
psm2.2
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
1.) Visit the above AOL site and get a cert.
2.) Visit https://pki.mcom.com:6007/tests.html and use the cert for client auth.
What happens: Crash.

Updated

16 years ago
Priority: -- → P1
Target Milestone: --- → 2.2
(Assignee)

Comment 1

16 years ago
I tried using a different website, and I saw a crash, too.

At the topmost level, tmp points to memory location 0xdadadada, i.e.
uninitialized memory.

#0  0x43585a59 in CERT_DestroyCertificate (cert=0x88a5218) at stanpcertdb.c:442
#1  0x43580484 in CERT_RemoveCertListNode (node=0x8893668) at certdb.c:2010
#2  0x43558119 in CERT_FilterCertListByCANames (certList=0x88935a8, nCANames=1,
caNames=0x881ecb0, usage=certUsageSSLClient) at certvfy.c:1385
#3  0x434655ef in nsNSS_SSLGetClientAuthData (arg=0x87f5f80, socket=0x87f5bd0,
caNames=0x4103e530, pRetCert=0x87da9c0, pRetKey=0x87da9c4) at
../../../../../mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp:1661
#4  0x43515d53 in ssl3_HandleCertificateRequest (ss=0x87f6270, b=0x87fbfd2
"\016", length=0) at ssl3con.c:4535
#5  0x4351b515 in ssl3_HandleHandshakeMessage (ss=0x87f6270, b=0x87fbefc
"\002\001\002", length=214) at ssl3con.c:7166
#6  0x4351b87e in ssl3_HandleHandshake (ss=0x87f6270, origBuf=0x815a314) at
ssl3con.c:7266
#7  0x4351c08d in ssl3_HandleRecord (ss=0x87f6270, cText=0x4103e69c,
databuf=0x815a314) at ssl3con.c:7531
#8  0x4351d1a5 in ssl3_GatherCompleteHandshake (ss=0x87f6270, flags=0) at
ssl3gthr.c:204
#9  0x4351d27e in ssl3_GatherAppDataRecord (ss=0x87f6270, flags=0) at ssl3gthr.c:234
#10 0x4352877b in DoRecv (ss=0x87f6270, out=0x437004e8 "", len=4096, flags=0) at
sslsecur.c:515
#11 0x43529755 in ssl_SecureRecv (ss=0x87f6270, buf=0x437004e8 "", len=4096,
flags=0) at sslsecur.c:1048
#12 0x435297cb in ssl_SecureRead (ss=0x87f6270, buf=0x437004e8 "", len=4096) at
sslsecur.c:1057
#13 0x4352f5e4 in ssl_Read (fd=0x87f5bd0, buf=0x437004e8, len=4096) at
sslsock.c:1232
#14 0x434638b4 in nsSSLIOLayerRead (fd=0x8735a88, buf=0x437004e8, amount=4096)
at ../../../../../mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp:665
#15 0x403157ff in PR_Read (fd=0x8735a88, buf=0x437004e8, amount=4096) at
../../../../../mozilla/nsprpub/pr/src/io/priometh.c:136
#16 0x4093e355 in nsSocketIS::Read (this=0x43700440, aBuf=0x437004e8 "",
aCount=4096, aBytesRead=0x4103e86c) at
../../../../mozilla/netwerk/base/src/nsSocketTransport.cpp:2337
#17 0x409810fd in nsHttpTransaction::Read (this=0x87c3560, buf=0x437004e8 "",
count=4096, bytesWritten=0x4103e86c) at
../../../../../mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:830
#18 0x4021c8d6 in nsReadFromInputStream (outStr=0x876809c, closure=0x87c3568,
toRawSegment=0x437004e8 "", offset=0, count=4096, readCount=0x4103e86c) at
../../../mozilla/xpcom/io/nsPipe2.cpp:845
#19 0x4021c408 in nsPipe::nsPipeOutputStream::WriteSegments (this=0x876809c,
reader=0x4021c8a0 <nsReadFromInputStream(nsIOutputStream *, void *, char *,
unsigned int, unsigned int, unsigned int *)>, closure=0x87c3568, count=16384,
writeCount=0x4103e910) at ../../../mozilla/xpcom/io/nsPipe2.cpp:719
#20 0x4021c920 in nsPipe::nsPipeOutputStream::WriteFrom (this=0x876809c,
fromStream=0x87c3568, count=16384, writeCount=0x4103e910) at
../../../mozilla/xpcom/io/nsPipe2.cpp:853
#21 0x4094518e in nsStreamListenerProxy::OnDataAvailable (this=0x87416b8,
request=0x87c3564, context=0x0, source=0x87c3568, offset=0, count=16384) at
../../../../mozilla/netwerk/base/src/nsStreamListenerProxy.cpp:303
#22 0x4097f81f in nsHttpTransaction::OnDataReadable (this=0x87c3560,
is=0x43700440) at
../../../../../mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:238
#23 0x4097e92b in nsHttpConnection::OnDataAvailable (this=0x87df340,
request=0x87680e0, context=0x0, inputStream=0x43700440, offset=0, count=8192) at
../../../../../mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:700
(Assignee)

Comment 2

16 years ago
adding dependency
Blocks: 116334

Comment 3

16 years ago
Ian,

Stephane has ran into the same crash. The problem is with Reference counting.
This is a case where the cert is never placed any cache or temp storage, so it
winds up with a reference of '2', so we 'remove' it from the cache, decrement
the count and free it, but there is till a reference in the certlist.

If we need to keep references in the cache or temp storage areas, we should
really implement soft references of some kind, we can't just assume that a cert
is in one of these areas.

bob

Comment 4

16 years ago
> Stephane has ran into the same crash. The problem is with Reference counting.
> This is a case where the cert is never placed any cache or temp storage, so it
> winds up with a reference of '2', so we 'remove' it from the cache, decrement
> the count and free it, but there is till a reference in the certlist.

That can't be the problem.  We *attempt* to remove it from the cache, but if it
is not there, nothing happens.  NSSCertificate_Destroy is only called if the
cache actually had a reference to a cert and released it.

The problem may be in new code that misses a ref count, but I don't think the
Destroy method is causing this.
(Assignee)

Comment 5

16 years ago
With the NSS trunk from 17:20, I now longer crash, and are succesfully able to
access the site.

Marking fixed.

However, I see additional problems with client auth. See new bug 119086
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

16 years ago
Verified.
Status: RESOLVED → VERIFIED

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

10 years ago
Version: psm2.2 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.