1495451 - use-after-free in tls13_CopyKeyShareEntry

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Daniel Veditz [:dveditz]]

Coverity reports a use-after-free in tls13_CopyKeyShareEntry. Looks like a missing "return NULL" after the free.

*** CID 1439842:  Memory - corruptions  (USE_AFTER_FREE)
/security/nss/lib/ssl/tls13con.c: 3453 in tls13_CopyKeyShareEntry()
3447             return NULL;
3448         }
3449     
3450         if (SECSuccess != SECITEM_CopyItem(NULL, &n->key_exchange, &o->key_exchange)) {
3451             PORT_Free(n);
3452         }
>>>     CID 1439842:  Memory - corruptions  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "n".
3453         n->group = o->group;
3454         return n;
3455     }
3456     
3457     void
3458     tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer)

Comment 1

[Randell Jesup [:jesup] (needinfo me)]

Note there were several other minor(?) coverity notices (about an ignored rv = value, and such - likely minor or false-positives, but also worth checking).  Sent via email to ekr & mt.

Comment 2

[Eric Rescorla (:ekr)]

This is a nice catch. Fortunately it's not an issue in Firefox because we don't invoke this fxn. I'll produce a fix, though.

Comment 3

[Eric Rescorla (:ekr)]

Attachment: Fix issues flagged by coverity

Comment 4

[Martin Thomson [:mt:]]

Comment on attachment 9013464 [details]
Fix issues flagged by coverity

Martin Thomson [:mt:] has approved the revision.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Per comment 2, this doesn't need to be tracked on the Firefox side.