1.) Visit the above AOL site and get a cert. 2.) Visit https://pki.mcom.com:6007/tests.html and use the cert for client auth. What happens: Crash.
I tried using a different website, and I saw a crash, too. At the topmost level, tmp points to memory location 0xdadadada, i.e. uninitialized memory. #0 0x43585a59 in CERT_DestroyCertificate (cert=0x88a5218) at stanpcertdb.c:442 #1 0x43580484 in CERT_RemoveCertListNode (node=0x8893668) at certdb.c:2010 #2 0x43558119 in CERT_FilterCertListByCANames (certList=0x88935a8, nCANames=1, caNames=0x881ecb0, usage=certUsageSSLClient) at certvfy.c:1385 #3 0x434655ef in nsNSS_SSLGetClientAuthData (arg=0x87f5f80, socket=0x87f5bd0, caNames=0x4103e530, pRetCert=0x87da9c0, pRetKey=0x87da9c4) at ../../../../../mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp:1661 #4 0x43515d53 in ssl3_HandleCertificateRequest (ss=0x87f6270, b=0x87fbfd2 "\016", length=0) at ssl3con.c:4535 #5 0x4351b515 in ssl3_HandleHandshakeMessage (ss=0x87f6270, b=0x87fbefc "\002\001\002", length=214) at ssl3con.c:7166 #6 0x4351b87e in ssl3_HandleHandshake (ss=0x87f6270, origBuf=0x815a314) at ssl3con.c:7266 #7 0x4351c08d in ssl3_HandleRecord (ss=0x87f6270, cText=0x4103e69c, databuf=0x815a314) at ssl3con.c:7531 #8 0x4351d1a5 in ssl3_GatherCompleteHandshake (ss=0x87f6270, flags=0) at ssl3gthr.c:204 #9 0x4351d27e in ssl3_GatherAppDataRecord (ss=0x87f6270, flags=0) at ssl3gthr.c:234 #10 0x4352877b in DoRecv (ss=0x87f6270, out=0x437004e8 "", len=4096, flags=0) at sslsecur.c:515 #11 0x43529755 in ssl_SecureRecv (ss=0x87f6270, buf=0x437004e8 "", len=4096, flags=0) at sslsecur.c:1048 #12 0x435297cb in ssl_SecureRead (ss=0x87f6270, buf=0x437004e8 "", len=4096) at sslsecur.c:1057 #13 0x4352f5e4 in ssl_Read (fd=0x87f5bd0, buf=0x437004e8, len=4096) at sslsock.c:1232 #14 0x434638b4 in nsSSLIOLayerRead (fd=0x8735a88, buf=0x437004e8, amount=4096) at ../../../../../mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp:665 #15 0x403157ff in PR_Read (fd=0x8735a88, buf=0x437004e8, amount=4096) at ../../../../../mozilla/nsprpub/pr/src/io/priometh.c:136 #16 0x4093e355 in nsSocketIS::Read (this=0x43700440, aBuf=0x437004e8 "", aCount=4096, aBytesRead=0x4103e86c) at ../../../../mozilla/netwerk/base/src/nsSocketTransport.cpp:2337 #17 0x409810fd in nsHttpTransaction::Read (this=0x87c3560, buf=0x437004e8 "", count=4096, bytesWritten=0x4103e86c) at ../../../../../mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:830 #18 0x4021c8d6 in nsReadFromInputStream (outStr=0x876809c, closure=0x87c3568, toRawSegment=0x437004e8 "", offset=0, count=4096, readCount=0x4103e86c) at ../../../mozilla/xpcom/io/nsPipe2.cpp:845 #19 0x4021c408 in nsPipe::nsPipeOutputStream::WriteSegments (this=0x876809c, reader=0x4021c8a0 <nsReadFromInputStream(nsIOutputStream *, void *, char *, unsigned int, unsigned int, unsigned int *)>, closure=0x87c3568, count=16384, writeCount=0x4103e910) at ../../../mozilla/xpcom/io/nsPipe2.cpp:719 #20 0x4021c920 in nsPipe::nsPipeOutputStream::WriteFrom (this=0x876809c, fromStream=0x87c3568, count=16384, writeCount=0x4103e910) at ../../../mozilla/xpcom/io/nsPipe2.cpp:853 #21 0x4094518e in nsStreamListenerProxy::OnDataAvailable (this=0x87416b8, request=0x87c3564, context=0x0, source=0x87c3568, offset=0, count=16384) at ../../../../mozilla/netwerk/base/src/nsStreamListenerProxy.cpp:303 #22 0x4097f81f in nsHttpTransaction::OnDataReadable (this=0x87c3560, is=0x43700440) at ../../../../../mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:238 #23 0x4097e92b in nsHttpConnection::OnDataAvailable (this=0x87df340, request=0x87680e0, context=0x0, inputStream=0x43700440, offset=0, count=8192) at ../../../../../mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:700
Ian, Stephane has ran into the same crash. The problem is with Reference counting. This is a case where the cert is never placed any cache or temp storage, so it winds up with a reference of '2', so we 'remove' it from the cache, decrement the count and free it, but there is till a reference in the certlist. If we need to keep references in the cache or temp storage areas, we should really implement soft references of some kind, we can't just assume that a cert is in one of these areas. bob
> Stephane has ran into the same crash. The problem is with Reference counting. > This is a case where the cert is never placed any cache or temp storage, so it > winds up with a reference of '2', so we 'remove' it from the cache, decrement > the count and free it, but there is till a reference in the certlist. That can't be the problem. We *attempt* to remove it from the cache, but if it is not there, nothing happens. NSSCertificate_Destroy is only called if the cache actually had a reference to a cert and released it. The problem may be in new code that misses a ref count, but I don't think the Destroy method is causing this.
With the NSS trunk from 17:20, I now longer crash, and are succesfully able to access the site. Marking fixed. However, I see additional problems with client auth. See new bug 119086
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.