Closed
Bug 124512
Opened 23 years ago
Closed 23 years ago
SSL server doing single handshake client auth crashes
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: julien.pierre, Assigned: wtc)
Details
This crash occurred on Windows 2000 after just a couple of minutes. Here is the
stack :
MSVCRT! 7802802c()
nssItem_Equal(const NSSItemStr * 0x0ca23ae0, const NSSItemStr * 0x0a0bfc38, int
* 0x0a0bfb7c) line 240 + 28 bytes
match_encoding(const void * 0x0ca23af0, void * 0x0cfb8f18, void * 0x0a0bfc04)
line 562 + 22 bytes
nss_hash_enumerator(PLHashEntry * 0x093efec0, int 0, void * 0x0a0bfbe4) line 376
+ 26 bytes
PL_HashTableEnumerateEntries(PLHashTable * 0x00eeb620, int (PLHashEntry *, int,
void *)* 0x002c0653 nss_hash_enumerator(PLHashEntry *, int, void *), void *
0x0a0bfbe4) line 429 + 15 bytes
nssHash_Iterate(nssHashStr * 0x00eeb600, void (const void *, void *, void *)*
0x002b8367 match_encoding(const void *, void *, void *), void * 0x0a0bfc04) line
399 + 21 bytes
nssCertificateStore_FindCertificateByEncodedCertificate(nssCertificateStoreStr *
0x00eeb550, NSSItemStr * 0x0a0bfc38) line 583 + 21 bytes
NSSCryptoContext_FindCertificateByEncodedCertificate(NSSCryptoContextStr *
0x00eeb530, NSSItemStr * 0x0a0bfc38) line 391 + 16 bytes
__CERT_NewTempCertificate(NSSTrustDomainStr * 0x00ee4fb8, SECItemStr *
0x0a0bfc9c, char * 0x00000000, int 0, int 1) line 189 + 13 bytes
ssl3_HandleCertificate(sslSocketStr * 0x0ca9de70, unsigned char * 0x0cf4a29e,
unsigned int 0) line 6491 + 25 bytes
ssl3_HandleHandshakeMessage(sslSocketStr * 0x0ca9de70, unsigned char *
0x0cf4a034, unsigned int 618) line 7157 + 17 bytes
ssl3_HandleHandshake(sslSocketStr * 0x0ca9de70, sslBufferStr * 0x0c95c974) line
7273 + 25 bytes
ssl3_HandleRecord(sslSocketStr * 0x0ca9de70, SSL3Ciphertext * 0x0a0bfdf8,
sslBufferStr * 0x0c95c974) line 7538 + 13 bytes
ssl3_GatherCompleteHandshake(sslSocketStr * 0x0ca9de70, int 0) line 204 + 20 bytes
ssl_GatherRecord1stHandshake(sslSocketStr * 0x0ca9de70) line 1300 + 11 bytes
ssl_Do1stHandshake(sslSocketStr * 0x0ca9de70) line 156 + 10 bytes
ssl_SecureRecv(sslSocketStr * 0x0ca9de70, unsigned char * 0x09255f48, int 8191,
int 0) line 1038 + 9 bytes
ssl_Recv(PRFileDesc * 0x0c9a0db8, void * 0x09255f48, int 8191, int 0, unsigned
int 1643790) line 1191 + 25 bytes
PR_Recv(PRFileDesc * 0x0c9a0db8, void * 0x09255f48, int 8191, int 0, unsigned
int 1643790) line 215 + 28 bytes
DaemonSession::GetConnection() line 401 + 54 bytes
DaemonSession::run() line 462 + 8 bytes
Thread::run_() line 235
ThreadMain(void * 0x091e1160) line 227
_PR_UserRunThread() line 506 + 13 bytes
_pr_fiber_mainline(void * 0x00000000) line 389 + 19 bytes
KERNEL32! 77e8758a()
KERNEL32! 77e81682()
Reporter | ||
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.4
Reporter | ||
Comment 1•23 years ago
|
||
The problem is with the one->data parameter being passed to nssItem_equal. It
points to unallocated memory.
Comment 2•23 years ago
|
||
This code path was eliminated by a checkin yesterday. Previously, searching for
a cert by DER in the temp store was accomplished by iterating the hash and
comparing values. I changed it to the monumentally more efficient method of
cracking the DER for issuer/serial and then indexing the hash directly. See rev
1.8 vs. rev 1.9 of pkistore.c.
While that may prevent this particular call stack from showing up again, it
doesn't mean the bug is fixed. The old method should have worked, just more slowly.
I saw this trace once on Linux, and I was quite confused. I actually found that
both the "one" and "two" pointers were valid. In fact, their lengths were
equal, and their buffers were equal. The cert pointer that produced the "one"
pointer was valid. The trace ended in memcmp. I have been unable to reproduce
it since, including running NT for over 50,000 sessions.
Comment 3•23 years ago
|
||
This crash, or any related temp store crash, has not shown up since the bug was
filed, that I know of.
I believe it has been fixed by changes to the temp store implementation.
Previously, the temp store did not guarantee uniqueness of certs within it,
causing various problems. The changes for the store went into pkistore.c rev 1.8.
The patch that eliminated the code path seen in the bug was pkistore.c rev 1.9.
Additional changes to ensure uniqueness of of cert pointers were made in
stanpcertdb.c revs 1.30 and 1.31.
Marking bug fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•