UBSan: ssl3_HandleServerHelloPart2(): null pointer passed as argument 2, which is declared to never be null

RESOLVED FIXED in 3.28

Status

NSS
Libraries
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: ttaubert, Assigned: ttaubert)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

a year ago
ssl3con.c:6899:40: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
    #0 0x752543 in ssl3_HandleServerHelloPart2 /home/worker/nss/lib/ssl/ssl3con.c:6899:5
    #1 0x703457 in ssl3_HandleServerHello /home/worker/nss/lib/ssl/ssl3con.c:6700:14
    #2 0x6f796d in ssl3_HandleHandshakeMessage /home/worker/nss/lib/ssl/ssl3con.c:11663:18
    #3 0x71943a in ssl3_HandleHandshake /home/worker/nss/lib/ssl/ssl3con.c:11848:18
    #4 0x70c1bf in ssl3_HandleRecord /home/worker/nss/lib/ssl/ssl3con.c:12611:22
    #5 0x77ef80 in ssl3_GatherCompleteHandshake /home/worker/nss/lib/ssl/ssl3gthr.c:474:22
    #6 0x789bf0 in ssl_GatherRecord1stHandshake /home/worker/nss/lib/ssl/sslcon.c:78:10
    #7 0x53a71a in ssl_Do1stHandshake /home/worker/nss/lib/ssl/sslsecur.c:65:14
    #8 0x5463bc in SSL_ForceHandshake /home/worker/nss/lib/ssl/sslsecur.c:413:14
    #9 0x51914b in TestAgent::Handshake() /home/worker/nss/external_tests/nss_bogo_shim/nss_bogo_shim.cc:207:34
    #10 0x50a67e in TestAgent::DoExchange() /home/worker/nss/external_tests/nss_bogo_shim/nss_bogo_shim.cc:236:20
    #11 0x509ca5 in RunCycle(std::unique_ptr<Config const, std::default_delete<Config const> >&) /home/worker/nss/external_tests/nss_bogo_shim/nss_bogo_shim.cc:289:26
    #12 0x50b9d2 in main /home/worker/nss/external_tests/nss_bogo_shim/nss_bogo_shim.cc:322:18
    #13 0x7f3055d3082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x422858 in _start (/home/worker/nss/external_tests/nss_bogo_shim/Linux4.1_x86_64_clang-3.9_glibc_PTH_64_ASAN_DBG.OBJ/nss_bogo_shim+0x422858)
(Assignee)

Updated

a year ago
Keywords: sec-moderate
(Assignee)

Comment 2

a year ago
Good news is that so far this is the only thing that running BoGo/NSS with UBSan finds.
(Assignee)

Comment 3

a year ago
Unhiding, this isn't security sensitive if memcpy() is called with a NULL pointer but length=0.
Group: crypto-core-security
Keywords: sec-moderate
(Assignee)

Comment 4

a year ago
https://hg.mozilla.org/projects/nss/rev/6b3812492e71
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
You need to log in before you can comment on or make changes to this bug.