the static nsICryptoHash in SHA256 (nsHttpConnectionInfo.cpp) is never released and thus leaks

RESOLVED FIXED in Firefox -esr60

Status

()

defect
P1
normal
RESOLVED FIXED
2 years ago
Last year

People

(Reporter: keeler, Assigned: keeler)

Tracking

(Blocks 1 bug)

unspecified
mozilla61
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr6061+ fixed, firefox61 fixed)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 attachment)

static nsresult
SHA256(const char* aPlainText, nsAutoCString& aResult)
{
  static nsICryptoHash* hasher = nullptr;
  nsresult rv;
  if (!hasher) {
    rv = CallCreateInstance("@mozilla.org/security/hash;1", &hasher);
    if (NS_FAILED(rv)) {
      LOG(("nsHttpDigestAuth: no crypto hash!\n"));
      return rv;
    }
  }

  rv = hasher->Init(nsICryptoHash::SHA256);
  NS_ENSURE_SUCCESS(rv, rv);

  rv = hasher->Update((unsigned char*) aPlainText, strlen(aPlainText));
  NS_ENSURE_SUCCESS(rv, rv);

  rv = hasher->Finish(false, aResult);
  return rv;
}

`hasher` is never released. Also hopefully this is only ever run on one thread?
Attachment #8957720 - Flags: review?(mcmanus) → review?(honzab.moz)
Priority: P1 → P3
Whiteboard: [necko-triaged]
Review ping, Honza?
Flags: needinfo?(honzab.moz)
Priority: P3 → P1
Comment on attachment 8957720 [details]
bug 1444532 - fix a leak in SHA256 in nsHttpConnectionInfo.cpp

https://reviewboard.mozilla.org/r/226678/#review233686

::: netwerk/protocol/http/nsHttpConnectionInfo.cpp:29
(Diff revision 1)
>  static nsresult
>  SHA256(const char* aPlainText, nsAutoCString& aResult)
>  {
> -  static nsICryptoHash* hasher = nullptr;
> -  nsresult rv;
> +    nsresult rv;
> -  if (!hasher) {
> +    nsCOMPtr<nsICryptoHash> hasher =

we also have static refptrs (StaticRefPtr)
Attachment #8957720 - Flags: review?(honzab.moz) → review+
Thanks! I think having this be non-static is best (there's very little benefit to doing it that way).
Flags: needinfo?(honzab.moz)
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ad1e07a06363
fix a leak in SHA256 in nsHttpConnectionInfo.cpp r=mayhemer
https://hg.mozilla.org/mozilla-central/rev/ad1e07a06363
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Thanks everyone here for finding and fixing this bug, and sorry for my mistake. Would it be possible to backport the patch to esr60?
Comment on attachment 8957720 [details]
bug 1444532 - fix a leak in SHA256 in nsHttpConnectionInfo.cpp

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: This may have inadvertently fixed a crash bug - see https://crash-stats.mozilla.com/signature/?signature=PK11_ExitContextMonitor and bug 1462386.
User impact if declined: See bug 1462386. Apparently "Setting a SOCKS proxy with password in browser.proxy.onRequest WebExtension API crashes the browser after navigating a while."
Fix Landed on Version: 61
Risk to taking this patch (and alternatives if risky): low - the change is small, localized, and the idiom in use is common for that implementation
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8957720 - Flags: approval-mozilla-esr60?
Comment on attachment 8957720 [details]
bug 1444532 - fix a leak in SHA256 in nsHttpConnectionInfo.cpp

leak fix, approved for 60.1esr
Attachment #8957720 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
You need to log in before you can comment on or make changes to this bug.