Closed
Bug 1192020
Opened 9 years ago
Closed 9 years ago
MSan: use-of-uninitialized-value in nssutil_DupnCat()
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(firefox40 wontfix, firefox41 wontfix, firefox42 affected, firefox43 affected, firefox-esr38 wontfix, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S wontfix, b2g-v2.2 affected, b2g-v2.2r affected, b2g-master affected)
RESOLVED
FIXED
3.21
People
(Reporter: tsmith, Assigned: wtc)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uninitialized, sec-audit)
Attachments
(2 files, 2 obsolete files)
2.76 KB,
text/plain
|
Details | |
1.34 KB,
patch
|
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
This seems to be triggered by a call to NSS_NoDB_Init(NULL). I'm not sure about the security implications here so I'm making this as a sec bug. Feel free to change it if need be.
Mass cc to get some NSS eyes on these bugs.
Comment 2•9 years ago
|
||
--- a/lib/util/utilmod.c +++ b/lib/util/utilmod.c @@ -87,17 +87,19 @@ nssutil_DupnCat(char *baseString, const len += str_len; newString = (char *) PORT_Realloc(baseString,len); if (newString == NULL) { PORT_Free(baseString); return NULL; } if (baseString == NULL) *newString = 0; - return PORT_Strncat(newString,str, str_len); + newString[len]=0; /* Strncat will not copy the NULL in str. Make sure the + * resulting string terminates */ + return PORT_Strncat(newString, str, str_len); } /* Same as nssutil_DupnCat except it concatenates the full string, not a * partial one */ static char * nssutil_DupCat(char *baseString, const char *str) { I don't think this has a security exploit unless the user has access to pkcs11.txt, which is the source of the module strings, but it should get fixed.
Comment 3•9 years ago
|
||
Attachment #8647748 -
Flags: review?(dkeeler)
Assignee | ||
Comment 4•9 years ago
|
||
Comment on attachment 8647748 [details] [diff] [review] Make sure the string is null terminated on return from nssutil_DupnCat(). Review of attachment 8647748 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/util/utilmod.c @@ +91,5 @@ > PORT_Free(baseString); > return NULL; > } > if (baseString == NULL) *newString = 0; > + newString[len]=0; /* Strncat will not copy the NULL in str. Make sure the 1. Nit: add spaces around the '=' sign. 2. The comment on line 78 is wrong: * The first parameter is the source string. If it's null, we "source" should be changed to "destination". 3. Nit: This function can use memcpy instead of strncat so that it doesn't scan baseString twice. This should work: static char * nssutil_DupnCat(char *baseString, const char *str, int str_len) { int baseStringLen = baseString ? PORT_Strlen(baseString) : 0; int len = baseStringLen + 1; char *newString; len += str_len; newString = (char *) PORT_Realloc(baseString,len); if (newString == NULL) { PORT_Free(baseString); return NULL; } PORT_Memcpy(&newString[baseStringLen], str, str_len); newString[len] = 0; return newString; }
Comment 5•9 years ago
|
||
I would r+ wtc's patch. It is actually clearer to read that the existing function, and removes the hackish test to set the first byte of newString to zero if baseStringLen is zero.
Assignee | ||
Comment 6•9 years ago
|
||
Bob: thank you for the support! Here is the patch.
Attachment #8647748 -
Attachment is obsolete: true
Attachment #8647748 -
Flags: review?(dkeeler)
Attachment #8647800 -
Flags: review?(rrelyea)
Comment 7•9 years ago
|
||
Comment on attachment 8647800 [details] [diff] [review] Make sure the string is null terminated on return from nssutil_DupnCat(). v2 Review of attachment 8647800 [details] [diff] [review]: ----------------------------------------------------------------- r+ rrelyea
Attachment #8647800 -
Flags: review?(rrelyea) → review+
Comment 8•9 years ago
|
||
actually the patch should be: newString[len-1] = 0; newString[len] is beyond the array. Alternately we can skip adding 1 to the len and add it only in the malloc. bob
Assignee | ||
Comment 9•9 years ago
|
||
Bob: I made the fix you described and checked in the patch. Thanks! https://hg.mozilla.org/projects/nss/rev/49af81a7869b
Assignee: nobody → wtc
Attachment #8647800 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8652635 -
Flags: checked-in+
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
OS: Unspecified → All
Priority: -- → P1
Hardware: Unspecified → All
Resolution: --- → FIXED
Target Milestone: --- → 3.21
Updated•9 years ago
|
status-b2g-v2.0:
--- → wontfix
status-b2g-v2.0M:
--- → wontfix
status-b2g-v2.1:
--- → wontfix
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-v2.2r:
--- → affected
status-b2g-master:
--- → affected
status-firefox40:
--- → wontfix
status-firefox41:
--- → affected
status-firefox43:
--- → affected
status-firefox-esr38:
--- → affected
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•