Closed
Bug 1216514
Opened 10 years ago
Closed 10 years ago
[CID 222177] leaked_storage: Variable rvCRL going out of scope leaks the storage it points to
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(firefox44 affected)
RESOLVED
FIXED
3.22
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | affected |
People
(Reporter: franziskus, Assigned: franziskus)
References
(Blocks 1 open bug)
Details
(Keywords: coverity)
Attachments
(1 file, 2 obsolete files)
|
1.12 KB,
patch
|
mt
:
review+
mt
:
checked-in+
|
Details | Diff | Splinter Review |
rvCRL is leaked when returning early
| Assignee | ||
Comment 1•10 years ago
|
||
Attachment #8676223 -
Flags: review?(martin.thomson)
| Assignee | ||
Comment 2•10 years ago
|
||
Attachment #8676223 -
Attachment is obsolete: true
Attachment #8676223 -
Flags: review?(martin.thomson)
Attachment #8676227 -
Flags: review?(martin.thomson)
Comment 3•10 years ago
|
||
Comment on attachment 8676227 [details] [diff] [review]
CID222177.patch
Review of attachment 8676227 [details] [diff] [review]:
-----------------------------------------------------------------
I couldn't satisfy myself that this was correct. Asking a second opinion.
::: lib/pki/certificate.c
@@ +1121,5 @@
> NULL, /* class */
> &rvCRL->url,
> &rvCRL->isKRL);
> if (status != PR_SUCCESS) {
> + nssPKIObject_Destroy((nssPKIObject *)rvCRL);
I think that there is a better option here. Before allocating, optionally call mark = nssArena_Mark(). At the end, if there is a mark, call Unmark on success and Release on failure. If there is no mark, then call nss_ZFreeIf(). The problem here is that you will decrement the reference count on the parent object when you free here, but I can't see any evidence that the reference count is incremented anywhere. That could produce a worse situation.
BTW, there is no leak if you accept the precondition that the arena is always non-NULL, but I couldn't figure out how to guarantee that (other than adding an explicit test for non-NULL, that is).
Attachment #8676227 -
Flags: review?(martin.thomson) → review?(ekr)
| Assignee | ||
Comment 4•10 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #3)
> Comment on attachment 8676227 [details] [diff] [review]
> CID222177.patch
> I think that there is a better option here. Before allocating, optionally
> call mark = nssArena_Mark(). At the end, if there is a mark, call Unmark on
> success and Release on failure. If there is no mark, then call
> nss_ZFreeIf(). The problem here is that you will decrement the reference
> count on the parent object when you free here, but I can't see any evidence
> that the reference count is incremented anywhere. That could produce a
> worse situation.
>
> BTW, there is no leak if you accept the precondition that the arena is
> always non-NULL, but I couldn't figure out how to guarantee that (other than
> adding an explicit test for non-NULL, that is).
yeah I see... the best (easiest) solutions seems to explicitly null-check the arena and only destroy the object if the arena is actually null.
Comment 5•10 years ago
|
||
I agree with MT that it's not clear that the free here is safe.
In general, nssPKIObject_Destroy seems pretty scary. Franziskus's proposed solution seems reasonable.
Updated•10 years ago
|
Attachment #8676227 -
Flags: review?(ekr)
| Assignee | ||
Comment 6•10 years ago
|
||
destroying this now only if we don't have an arena
Attachment #8676227 -
Attachment is obsolete: true
Attachment #8684845 -
Flags: review?(martin.thomson)
Comment 7•10 years ago
|
||
Comment on attachment 8684845 [details] [diff] [review]
CID222177.patch
Review of attachment 8684845 [details] [diff] [review]:
-----------------------------------------------------------------
I agree that this is probably the best we can hope to do here.
https://hg.mozilla.org/projects/nss/rev/040828d246d8
Attachment #8684845 -
Flags: review?(martin.thomson)
Attachment #8684845 -
Flags: review+
Attachment #8684845 -
Flags: checked-in+
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.22
You need to log in
before you can comment on or make changes to this bug.
Description
•