use-after-free in tls13_CopyKeyShareEntry

RESOLVED FIXED

Status

defect
RESOLVED FIXED
9 months ago
24 days ago

People

(Reporter: dveditz, Assigned: ekr)

Tracking

(Blocks 1 bug, {csectype-uaf, sec-high})

trunk
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox62 unaffected, firefox63 unaffected, firefox64- unaffected)

Details

Attachments

(1 attachment)

Reporter

Description

9 months ago
Coverity reports a use-after-free in tls13_CopyKeyShareEntry. Looks like a missing "return NULL" after the free.

*** CID 1439842:  Memory - corruptions  (USE_AFTER_FREE)
/security/nss/lib/ssl/tls13con.c: 3453 in tls13_CopyKeyShareEntry()
3447             return NULL;
3448         }
3449     
3450         if (SECSuccess != SECITEM_CopyItem(NULL, &n->key_exchange, &o->key_exchange)) {
3451             PORT_Free(n);
3452         }
>>>     CID 1439842:  Memory - corruptions  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "n".
3453         n->group = o->group;
3454         return n;
3455     }
3456     
3457     void
3458     tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer)
Reporter

Updated

9 months ago
Blocks: 1488622
Note there were several other minor(?) coverity notices (about an ignored rv = value, and such - likely minor or false-positives, but also worth checking).  Sent via email to ekr & mt.
Assignee

Comment 2

9 months ago
This is a nice catch. Fortunately it's not an issue in Firefox because we don't invoke this fxn. I'll produce a fix, though.
Comment on attachment 9013464 [details]
Fix issues flagged by coverity

Martin Thomson [:mt:] has approved the revision.
Attachment #9013464 - Flags: review+
Per comment 2, this doesn't need to be tracked on the Firefox side.
Assignee

Updated

9 months ago
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Reporter

Updated

9 months ago
Group: crypto-core-security → core-security-release
Reporter

Updated

3 months ago
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.