Open Bug 1415848 Opened 7 years ago Updated 2 years ago

Cleanup could call mp_clear for uninitialized mp_int

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: jallmann, Unassigned)

Details

Jonas Allmann [:jallmann]

Reporter

Description

•

7 years ago

Found when fixing RSA_NewKey().
Several mp_int objects are created and not initialized until later.

In case of going to cleanup before all of them are initialized, mp_clear is called on uninitialized mp_int, which could mean freeing a random not null pointer.

This seems to never happen when all mp_int are intialized and checked one after another, but it's not guaranteed.

Fix suggestion: 
Initialize every mp_int as {0,0,0,NULL} upon creation.

jbonnafo

Comment 1

•

6 years ago

Hello,

I have checked RSA_NewKey() code and found that 4 local variables (|p|,|q|,|e|,|d|) are initialized to {0,0,0,NULL} upon creation.
Are these the variables that needed to be initialized?
Thanks,

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Cleanup could call mp_clear for uninitialized mp_int

Categories

(NSS :: Libraries, enhancement, P3)

Tracking

(Not tracked)

People

(Reporter: jallmann, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated