Closed Bug 129709 Opened 22 years ago Closed 22 years ago

Illegal free and memory leak of cert->nickname in __CERT_AddTempCertToPerm

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

References

Details

Attachments

(1 file, 1 obsolete file)

Ian's proposed patch
801 bytes, patch
Details | Diff | Splinter Review 
In NSS 3.4, we exported the function __CERT_AddTempCertToPerm for PSM.

In stanpcertdb.c, rev. 1.38, this function does the following:

    if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
        /* take the new nickname */
        PORT_Free(cert->nickname);
        stanNick = NULL;
    }
    if (!stanNick && nickname) {
        stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, c->object.arena);
        cert->nickname = PORT_Strdup(nickname);
    }

However, cert->nickname should be allocated in cert->arena (see pki3hack.c,
fill_CERTCertificateFields).  So, there are two scenarios in which the
above code will be wrong.

1. If someone calls CERT_NewTempCertificate with one nickname, then
calls CERT_AddTempCertToPerm with a *different* nickname, we will make an
incorect call to PORT_Free, and then call PORT_Strdup to allocate
cert->nickname, which will be leaked.  The incorrect call to PORT_Free
is especially serious because it frees a buffer allocated in an arena.

The good news is that this scenario is unlikely to happen.  In particular,
PSM doesn't do this.

2. If someone calls CERT_NewTempCertificate with a null nickname, then
calls CERT_AddTempCertToPerm with a *non-null* nickname, we will call
PORT_Strdup to allocated cert->nickname, which will be leaked.

This is what PSM does, so PSM will hit the leak.

But certs are rarely imported permanently.  The leak is just the size of
a nickname buffer, and it will occur once per downloaded cert per session.
That number should be extremely low.

With the above analysis and the safe assumption that PSM is the only user
of __CERT_AddTempCertToPerm, I recommend that we not fix this bug before
NSS 3.4 RTM and we fix it in NSS 3.4.1.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.4.1

    
    

    
  
I'm not entirely certain that PSM will remain the only user of 
__CERT_AddTempCertToPerm in the 3.4 timeframe (before 3.4.1 is released).  
If we have a low risk patch now ...

    
  
Target Milestone: 3.4.1 → 3.4

    
    

    
  
patch checked in per wtc's request.

    
    

    
  
Marked the bug fixed.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  


  
I found out about this memory leak when I reviewed the nssList
code.  We leak the arena if nss_ZNEW fails.  r=mcgreer.  I've
checked in the patch.

    
    

    
  
Comment on attachment 74417 [details] [diff] [review]
Patch to fix a memory leak in nssList_Create on error

Sorry, attached to the wrong bug.

        Attachment #74417 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 74417 [details] [diff] [review]
Patch to fix a memory leak in nssList_Create on error

I meant to attach this patch to bug 129778, although
this patch is not really related to that bug either.

    
  
Blocks: 131513

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: