pk11_CollectCrls crashes if CERT_DecodeDERCrl returns a NULL pointer.

RESOLVED FIXED in 3.5.1

Status

NSS
Libraries
RESOLVED FIXED
16 years ago
16 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Robert Relyea)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
This bug is reported by Robert List in the mozilla.crypto
newsgroup.

pk11_CollectCrls crashes if CERT_DecodeDERCrl returns
a NULL pointer.  Here is the relevant code snippet:

static SECStatus
pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg)
{
...
    new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type);
    if (new_node->crl == NULL) {
        goto loser;
    }

    if (fetchCrl[2].pValue) {
        int nnlen = fetchCrl[2].ulValueLen;
        new_node->crl->url  = (char *)PORT_ArenaAlloc(head->arena, nnlen+1);

If CERT_DecodeDERCrl returns a NULL pointer, we get an access
violation on dereferencing new_node->crl->url.
(Reporter)

Comment 1

16 years ago
This is fixed on the tip, in rev. 1.87 of pk11cert.c.

There is an error in the code snippet I provided.
Actually, the code after the CERT_DecodeDERCrl call:

    if (new_node->crl == NULL) {
        goto loser;
    }

is the fix and was not there originally :-)  Sorry
about the confusion.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.6
(Reporter)

Comment 2

16 years ago
Created attachment 92982 [details] [diff] [review]
The fix

Comment 3

16 years ago
a=asa (on behalf of drivers) for checkin to 1.1
(Reporter)

Comment 4

16 years ago
I checked in the fix into NSS_3_5_BRANCH and NSS_CLIENT_TAG.
Target Milestone: 3.6 → 3.5.1
You need to log in before you can comment on or make changes to this bug.