Closed
Bug 1216501
Opened 9 years ago
Closed 9 years ago
[CID 1327954][CID 1327953][CID 1327952][CID 1327951] Using uninitialized value secitem.type when calling SECITEM_CopyItem_Util - copying secitem.type only if present
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(firefox44 affected)
RESOLVED
FIXED
3.21
Tracking | Status | |
---|---|---|
firefox44 | --- | affected |
People
(Reporter: franziskus, Assigned: franziskus)
References
(Blocks 1 open bug)
Details
(Keywords: coverity)
Attachments
(1 file, 2 obsolete files)
3.05 KB,
patch
|
mt
:
review+
mt
:
checked-in+
|
Details | Diff | Splinter Review |
SECITEM_CopyItem is often used on objects that are missing the type, i.e. type on those has never been set. Instead of changing all occurrences I'd suggest copying the type only if it was set.
Assignee | ||
Comment 1•9 years ago
|
||
I fixed one of those before, but there are at least 4 more. So I think this might be a better solution. (Skipping codereview for these easy patches now.)
Attachment #8676206 -
Flags: review?(martin.thomson)
Assignee | ||
Comment 2•9 years ago
|
||
Attachment #8676206 -
Attachment is obsolete: true
Attachment #8676206 -
Flags: review?(martin.thomson)
Attachment #8676211 -
Flags: review?(martin.thomson)
Comment 3•9 years ago
|
||
Comment on attachment 8676211 [details] [diff] [review] CID1327954.patch Review of attachment 8676211 [details] [diff] [review]: ----------------------------------------------------------------- Not sure what you are trying to do here. ::: lib/util/secitem.c @@ +269,1 @@ > if (from->data && from->len) { If from is NULL, then you get a null-deref on this line instead. Also, a from->type of siBuffer is falsy.
Attachment #8676211 -
Flags: review?(martin.thomson) → review-
Assignee | ||
Comment 4•9 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #3) > Comment on attachment 8676211 [details] [diff] [review] > CID1327954.patch > > Review of attachment 8676211 [details] [diff] [review]: > ----------------------------------------------------------------- > > Not sure what you are trying to do here. > > ::: lib/util/secitem.c > @@ +269,1 @@ > > if (from->data && from->len) { > > If from is NULL, then you get a null-deref on this line instead. Also, a > from->type of siBuffer is falsy. sure, I don't get why none of these functions ever check the pointers they... But I just want to fix one issue here, that is that from->type is not initialised in many cases this is called. To avoid getting undefined behaviour here every time we copy the uninitialised from->type we should simply not copy it in this case. The alternative would be to fix all callsites of SECITEM_CopyItem.
Flags: needinfo?(martin.thomson)
Comment 5•9 years ago
|
||
This isn't going to fix any problems with having from->type uninitialized, it's just going to propagate the problem.
Flags: needinfo?(martin.thomson)
Assignee | ||
Comment 6•9 years ago
|
||
right, stupid me. I'm just setting the type in those four cases coverity complains. I'm not sure if those are the correct types (I tried my best, let me know if you think they're supposed to be different), but since they're never checked anyway... This will probably pop up at other places as well, we can fix it everywhere or maybe somewhen remove the type from secitem all together ;)
Attachment #8676211 -
Attachment is obsolete: true
Attachment #8676818 -
Flags: review?(martin.thomson)
Comment 7•9 years ago
|
||
Comment on attachment 8676818 [details] [diff] [review] CID1327954.patch Review of attachment 8676818 [details] [diff] [review]: ----------------------------------------------------------------- https://hg.mozilla.org/projects/nss/rev/ad5687c22dff
Attachment #8676818 -
Flags: review?(martin.thomson)
Attachment #8676818 -
Flags: review+
Attachment #8676818 -
Flags: checked-in+
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.21
You need to log in
before you can comment on or make changes to this bug.
Description
•