Cleanup could call mp_clear for uninitialized mp_int

NEW
Unassigned

Status

NSS
Libraries
P3
normal
15 days ago
15 days ago

People

(Reporter: Jonas Allmann, Unassigned)

Tracking

trunk

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 days ago
Found when fixing RSA_NewKey().
Several mp_int objects are created and not initialized until later.

In case of going to cleanup before all of them are initialized, mp_clear is called on uninitialized mp_int, which could mean freeing a random not null pointer.

This seems to never happen when all mp_int are intialized and checked one after another, but it's not guaranteed.

Fix suggestion: 
Initialize every mp_int as {0,0,0,NULL} upon creation.
You need to log in before you can comment on or make changes to this bug.