Closed
Bug 129709
Opened 23 years ago
Closed 23 years ago
Illegal free and memory leak of cert->nickname in __CERT_AddTempCertToPerm
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: wtc, Assigned: wtc)
References
Details
Attachments
(1 file, 1 obsolete file)
|
801 bytes,
patch
|
Details | Diff | Splinter Review |
In NSS 3.4, we exported the function __CERT_AddTempCertToPerm for PSM.
In stanpcertdb.c, rev. 1.38, this function does the following:
if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
/* take the new nickname */
PORT_Free(cert->nickname);
stanNick = NULL;
}
if (!stanNick && nickname) {
stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, c->object.arena);
cert->nickname = PORT_Strdup(nickname);
}
However, cert->nickname should be allocated in cert->arena (see pki3hack.c,
fill_CERTCertificateFields). So, there are two scenarios in which the
above code will be wrong.
1. If someone calls CERT_NewTempCertificate with one nickname, then
calls CERT_AddTempCertToPerm with a *different* nickname, we will make an
incorect call to PORT_Free, and then call PORT_Strdup to allocate
cert->nickname, which will be leaked. The incorrect call to PORT_Free
is especially serious because it frees a buffer allocated in an arena.
The good news is that this scenario is unlikely to happen. In particular,
PSM doesn't do this.
2. If someone calls CERT_NewTempCertificate with a null nickname, then
calls CERT_AddTempCertToPerm with a *non-null* nickname, we will call
PORT_Strdup to allocated cert->nickname, which will be leaked.
This is what PSM does, so PSM will hit the leak.
But certs are rarely imported permanently. The leak is just the size of
a nickname buffer, and it will occur once per downloaded cert per session.
That number should be extremely low.
With the above analysis and the safe assumption that PSM is the only user
of __CERT_AddTempCertToPerm, I recommend that we not fix this bug before
NSS 3.4 RTM and we fix it in NSS 3.4.1.
|
Assignee | |
Updated•23 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.4.1
|
|
Assignee | |
Comment 1•23 years ago
|
||
|
||
Comment 2•23 years ago
|
||
I'm not entirely certain that PSM will remain the only user of
__CERT_AddTempCertToPerm in the 3.4 timeframe (before 3.4.1 is released).
If we have a low risk patch now ...
|
|
Assignee | |
Updated•23 years ago
|
Target Milestone: 3.4.1 → 3.4
|
||
Comment 3•23 years ago
|
||
patch checked in per wtc's request.
|
|
Assignee | |
Comment 4•23 years ago
|
||
Marked the bug fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 5•23 years ago
|
||
I found out about this memory leak when I reviewed the nssList
code. We leak the arena if nss_ZNEW fails. r=mcgreer. I've
checked in the patch.
|
|
Assignee | |
Comment 6•23 years ago
|
||
Comment on attachment 74417 [details] [diff] [review]
Patch to fix a memory leak in nssList_Create on error
Sorry, attached to the wrong bug.
Attachment #74417 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 7•23 years ago
|
||
Comment on attachment 74417 [details] [diff] [review]
Patch to fix a memory leak in nssList_Create on error
I meant to attach this patch to bug 129778, although
this patch is not really related to that bug either.
You need to log in
before you can comment on or make changes to this bug.
Description
•