Closed
Bug 1359963
Opened 8 years ago
Closed 8 years ago
NSS server crash when handling SSLv2 hello, attempt to write to NULL buffer.
Categories
(NSS :: Libraries, enhancement)
Tracking
(firefox-esr45 unaffected, firefox-esr52 unaffected, firefox54 unaffected, firefox55 unaffected)
RESOLVED
DUPLICATE
of bug 1328122
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | unaffected |
People
(Reporter: KaiE, Unassigned)
References
Details
(Keywords: csectype-dos, sec-moderate)
Attachments
(1 file)
|
52.48 KB,
text/plain
|
Details |
We've received a report from a user of a server software that uses NSS.
The report was seen on a RHEL 7.3 system, with NSS 3.28.2, in combination with an old nss-softokn 3.16.2.3
It's crashing in ssl3_GatherData, here:
if (v2HdrLength) {
gs->inbuf.len = 5 - v2HdrLength;
-> PORT_Memcpy(lbp, gs->hdr + v2HdrLength, gs->inbuf.len);
gs->remainder -= gs->inbuf.len;
lbp += gs->inbuf.len;
}
lbp is NULL, apparently the code expects that a destination buffer was allocated, but it hasn't.
|
Reporter | |
Comment 1•8 years ago
|
||
attaching full stack
|
|
Reporter | |
Comment 2•8 years ago
|
||
Additional information, the crash was triggered by running a Qualys vulnerability scan on the server.
Based on the stack, it seems a SSLv2 compatible hello was sent to the crashing server.
|
|
Reporter | |
Comment 3•8 years ago
|
||
For reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1435017
(There are private comments which you probably aren't able to see.)
|
||
Comment 4•8 years ago
|
||
Note that the code on trunk asserts that lbp is non-NULL, so there is probably already a fix added. Tim knows this code better than I do, but it seems like you might just be able to backport the fix to Bug 1328122 (https://hg.mozilla.org/projects/nss/rev/55ea60effd0d).
|
||
Comment 5•8 years ago
|
||
Martin is right, we can backport the fix for bug 1328122 if needed. OTOH, 3.29 has it already and only servers are affected.
|
||
Updated•8 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Keywords: csectype-dos,
sec-moderate
|
||
Comment 6•8 years ago
|
||
Does Mozilla intend to assign a CVE id to this issue, or should we do it?
|
|
||
Comment 8•8 years ago
|
||
We have assigned CVE-2017-7502 to this issue.
|
|
||
Updated•8 years ago
|
Alias: CVE-2017-7502
|
|
||
Updated•8 years ago
|
|
|
||
Comment 10•8 years ago
|
||
So is this a dupe of bug 1328122 then? If it's the same CVE number and same patch seems like it is.
Alias: CVE-2017-7502
Depends on: CVE-2017-7502
|
|
||
Updated•5 years ago
|
Group: crypto-core-security
QA Contact: jjones
You need to log in
before you can comment on or make changes to this bug.
Description
•