Closed Bug 124512 Opened 23 years ago Closed 23 years ago

SSL server doing single handshake client auth crashes

Categories

(NSS :: Libraries, defect, P1)

x86
Windows 2000
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: julien.pierre, Assigned: wtc)

Details

This crash occurred on Windows 2000 after just a couple of minutes. Here is the stack : MSVCRT! 7802802c() nssItem_Equal(const NSSItemStr * 0x0ca23ae0, const NSSItemStr * 0x0a0bfc38, int * 0x0a0bfb7c) line 240 + 28 bytes match_encoding(const void * 0x0ca23af0, void * 0x0cfb8f18, void * 0x0a0bfc04) line 562 + 22 bytes nss_hash_enumerator(PLHashEntry * 0x093efec0, int 0, void * 0x0a0bfbe4) line 376 + 26 bytes PL_HashTableEnumerateEntries(PLHashTable * 0x00eeb620, int (PLHashEntry *, int, void *)* 0x002c0653 nss_hash_enumerator(PLHashEntry *, int, void *), void * 0x0a0bfbe4) line 429 + 15 bytes nssHash_Iterate(nssHashStr * 0x00eeb600, void (const void *, void *, void *)* 0x002b8367 match_encoding(const void *, void *, void *), void * 0x0a0bfc04) line 399 + 21 bytes nssCertificateStore_FindCertificateByEncodedCertificate(nssCertificateStoreStr * 0x00eeb550, NSSItemStr * 0x0a0bfc38) line 583 + 21 bytes NSSCryptoContext_FindCertificateByEncodedCertificate(NSSCryptoContextStr * 0x00eeb530, NSSItemStr * 0x0a0bfc38) line 391 + 16 bytes __CERT_NewTempCertificate(NSSTrustDomainStr * 0x00ee4fb8, SECItemStr * 0x0a0bfc9c, char * 0x00000000, int 0, int 1) line 189 + 13 bytes ssl3_HandleCertificate(sslSocketStr * 0x0ca9de70, unsigned char * 0x0cf4a29e, unsigned int 0) line 6491 + 25 bytes ssl3_HandleHandshakeMessage(sslSocketStr * 0x0ca9de70, unsigned char * 0x0cf4a034, unsigned int 618) line 7157 + 17 bytes ssl3_HandleHandshake(sslSocketStr * 0x0ca9de70, sslBufferStr * 0x0c95c974) line 7273 + 25 bytes ssl3_HandleRecord(sslSocketStr * 0x0ca9de70, SSL3Ciphertext * 0x0a0bfdf8, sslBufferStr * 0x0c95c974) line 7538 + 13 bytes ssl3_GatherCompleteHandshake(sslSocketStr * 0x0ca9de70, int 0) line 204 + 20 bytes ssl_GatherRecord1stHandshake(sslSocketStr * 0x0ca9de70) line 1300 + 11 bytes ssl_Do1stHandshake(sslSocketStr * 0x0ca9de70) line 156 + 10 bytes ssl_SecureRecv(sslSocketStr * 0x0ca9de70, unsigned char * 0x09255f48, int 8191, int 0) line 1038 + 9 bytes ssl_Recv(PRFileDesc * 0x0c9a0db8, void * 0x09255f48, int 8191, int 0, unsigned int 1643790) line 1191 + 25 bytes PR_Recv(PRFileDesc * 0x0c9a0db8, void * 0x09255f48, int 8191, int 0, unsigned int 1643790) line 215 + 28 bytes DaemonSession::GetConnection() line 401 + 54 bytes DaemonSession::run() line 462 + 8 bytes Thread::run_() line 235 ThreadMain(void * 0x091e1160) line 227 _PR_UserRunThread() line 506 + 13 bytes _pr_fiber_mainline(void * 0x00000000) line 389 + 19 bytes KERNEL32! 77e8758a() KERNEL32! 77e81682()
Priority: -- → P1
Target Milestone: --- → 3.4
The problem is with the one->data parameter being passed to nssItem_equal. It points to unallocated memory.
This code path was eliminated by a checkin yesterday. Previously, searching for a cert by DER in the temp store was accomplished by iterating the hash and comparing values. I changed it to the monumentally more efficient method of cracking the DER for issuer/serial and then indexing the hash directly. See rev 1.8 vs. rev 1.9 of pkistore.c. While that may prevent this particular call stack from showing up again, it doesn't mean the bug is fixed. The old method should have worked, just more slowly. I saw this trace once on Linux, and I was quite confused. I actually found that both the "one" and "two" pointers were valid. In fact, their lengths were equal, and their buffers were equal. The cert pointer that produced the "one" pointer was valid. The trace ended in memcmp. I have been unable to reproduce it since, including running NT for over 50,000 sessions.
This crash, or any related temp store crash, has not shown up since the bug was filed, that I know of. I believe it has been fixed by changes to the temp store implementation. Previously, the temp store did not guarantee uniqueness of certs within it, causing various problems. The changes for the store went into pkistore.c rev 1.8. The patch that eliminated the code path seen in the bug was pkistore.c rev 1.9. Additional changes to ensure uniqueness of of cert pointers were made in stanpcertdb.c revs 1.30 and 1.31. Marking bug fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.