Closed Bug 1220683 Opened 10 years ago Closed 10 years ago

Checking return values in mpi.c

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(firefox45 affected)

RESOLVED FIXED
Tracking Status
firefox45 --- affected

People

(Reporter: franziskus, Assigned: franziskus)

References

(Blocks 1 open bug)

Details

(Keywords: coverity)

Attachments

(1 file, 6 obsolete files)

mpi.c fails to check several return (error) values. This is captured in coverity bugs 221850, 221851, 221853, 1121981, 221854, 221855, 221856, 221857.
Attached patch mpi coverity (obsolete) — Splinter Review
Attachment #8681987 - Flags: review?(martin.thomson)
Attached patch mpi coverity (obsolete) — Splinter Review
forgot to include assert
Attachment #8681987 - Attachment is obsolete: true
Attachment #8681987 - Flags: review?(martin.thomson)
Attachment #8682444 - Flags: review?(martin.thomson)
Comment on attachment 8682444 [details] [diff] [review] mpi coverity Review of attachment 8682444 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/freebl/mpi/mpi-priv.h @@ +15,5 @@ > #include "mpi.h" > #include <stdlib.h> > #include <string.h> > #include <ctype.h> > +#include <assert.h> I'd move the inclusion here to the .c file. ::: lib/freebl/mpi/mpi.c @@ +1702,5 @@ > > ARGCHK(a != NULL, MP_EQ); > > + assert(mp_init(&tmp) == MP_OKAY); > + assert(mp_set_int(&tmp, z) == MP_OKAY); It's a shame that you need an alloc() call here. I wonder if we could hack around the problem somehow.
Attachment #8682444 - Flags: review?(martin.thomson)
Attached patch mpi coverity (obsolete) — Splinter Review
moved the include. let's leave mp_cmp_int here, I opened bug 1222908 to rewrite that.
Attachment #8682444 - Attachment is obsolete: true
Attachment #8684776 - Flags: review?(martin.thomson)
Comment on attachment 8684776 [details] [diff] [review] mpi coverity Review of attachment 8684776 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/freebl/mpi/mpi.c @@ +10,5 @@ > #include "mpi-priv.h" > #if defined(OSF1) > #include <c_asm.h> > #endif > +#include <limits.h> why limits and not assert? @@ +1491,5 @@ > mp_set(&s, 1); > > /* mu = b^2k / m */ > + MP_CHECKOK(s_mp_add_d(&mu, 1)); > + MP_CHECKOK(s_mp_lshd(&mu, 2 * USED(m))); Please try to be consistent with the adjoining code.
Attachment #8684776 - Flags: review?(martin.thomson) → review+
Attached patch mpi coverity (obsolete) — Splinter Review
r+ carries over. not sure why I used limits here... changed to assert. Also changed MP_CHECKOK to if != MP_OKAY to make it similar to the adjoining code. do you check in?
Attachment #8684776 - Attachment is obsolete: true
Flags: needinfo?(martin.thomson)
Attachment #8685381 - Flags: review+
Attached patch mpi coverity (obsolete) — Splinter Review
got distracted... r+ carries over
Attachment #8685381 - Attachment is obsolete: true
Attachment #8685382 - Flags: review+
Attached patch mpi coveritySplinter Review
today's not my day... r+ carries over
Attachment #8685382 - Attachment is obsolete: true
Attachment #8685395 - Flags: review+
Comment on attachment 8685395 [details] [diff] [review] mpi coverity Review of attachment 8685395 [details] [diff] [review]: ----------------------------------------------------------------- https://hg.mozilla.org/projects/nss/rev/1ffeb4a97c1c
Attachment #8685395 - Flags: checked-in+
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(martin.thomson)
Resolution: --- → FIXED
Target Milestone: --- → 3.22
Martin reported we have test failures: > cert.sh: #86: Creating EC CA Cert TestCA-ec (5=0) - FAILED Apprently this change broke the NSS tests when using an optimized build (debug works fine). I will back out the patch.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Kai Engert (:kaie) from comment #11) > I will back out the patch. https://hg.mozilla.org/projects/nss/rev/e8d7d9c23621
Comment on attachment 8685395 [details] [diff] [review] mpi coverity Review of attachment 8685395 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/freebl/mpi/mpi.c @@ +1705,5 @@ > > ARGCHK(a != NULL, MP_EQ); > > + assert(mp_init(&tmp) == MP_OKAY); > + assert(mp_set_int(&tmp, z) == MP_OKAY); assert() doesn't evaluate the condition at all if NDEBUG is defined, so this would explain the broken opt builds.
…except that on Windows, -UNDEBUG is added unconditionally in lib/freebl/mpi/target.mk (and -DNDEBUG is added on Linux, which is arguably worse), so a Windows opt build wouldn't reveal the breakage. Is there a reason for that? `hg blame` isn't very helpful.
Attached patch mp_cmp_int.patch (obsolete) — Splinter Review
I'm not sure that this is worth the extra effort involved. I note that the ARGCHK call returns MP_EQ if the `a` argument is NULL. Maybe we can dump out with MP_EQ if we have memory issues as well. It seems like the worst possible return code, but there you have it.
Attachment #8688143 - Flags: feedback?(franziskuskiefer)
Comment on attachment 8688143 [details] [diff] [review] mp_cmp_int.patch Review of attachment 8688143 [details] [diff] [review]: ----------------------------------------------------------------- This is a bit overkill, but works, so lets go with this for now (make sure the other patch is checked in again first). If we could rewrite ec_GFp_pt_dbl_jac [1] we could just remove mp_cmp_int (it's not used anywhere else), but I don't see a quick way to replace the compare there. [1] https://github.com/nss-dev/nss/blob/79dd4fc2d52149f59824df5013ecf20fa247ba93/lib/freebl/ecl/ecp_jac.c#L235 ::: lib/freebl/mpi/mpi.c @@ +1723,5 @@ > /* > This just converts z to an mp_int, and uses the existing comparison > routines. This is sort of inefficient, but it's not clear to me how > frequently this wil get used anyway. For small positive constants, > you can always use mp_cmp_d(), and for zero, there is mp_cmp_z(). you might want to change the comment here @@ +1733,3 @@ > > ARGCHK(a != NULL, MP_EQ); > nit: whitespace
Attachment #8688143 - Flags: feedback?(franziskuskiefer) → feedback+
Well, ec_GFp_pt_dbl_jac could just do the basic check. MP_SIGN(a) && MP_DIGIT(a, 0) == 3 && for(i = 1; i < MP_USED(a); ++i) !MP_DIGIT(a, i); Bob, maybe you can offer an opinion here. Do you think we need a generic function, or should I just write the above into ec_GFp_pt_dbl_jac ?
Flags: needinfo?(rrelyea)
Comment on attachment 8688143 [details] [diff] [review] mp_cmp_int.patch moved this to Bug 1222908 to clean up and land the main patch again without asserts in mp_cmp_int.
Attachment #8688143 - Attachment is obsolete: true
Flags: needinfo?(rrelyea)
landed it again without the asserts. let's fix the mp_cmp_int in bug 1222908 https://hg.mozilla.org/projects/nss/rev/973d29c1864f
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: