Closed Bug 165859 Opened 22 years ago Closed 22 years ago

Double free on error path in nssTrustDomain_FindCertificateByIssuerAndSerialNumber

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(1 file)

Proposed patch
771 bytes, patch
bugz
: review+
Details | Diff | Splinter Review 
In trustdomain.c, function
nssTrustDomain_FindCertificateByIssuerAndSerialNumber,
'collection' may be destroyed twice if the
nssPKIObjectCollection_GetCertificates call fails.

Here is the code fragment:

    if (collection) {
        (void)nssPKIObjectCollection_GetCertificates(collection,
                                                     &rvCert, 1, NULL);
        nssPKIObjectCollection_Destroy(collection);
        if (!rvCert) {
            goto loser;
        }
    }
    nssSlotArray_Destroy(slots);
    return rvCert;
loser:
    if (collection) {
        nssPKIObjectCollection_Destroy(collection);
    }
    if (slots) {
        nssSlotArray_Destroy(slots);
    }
    return (NSSCertificate *)NULL;
Attached patch Proposed patchSplinter Review 

    
    

    
  
Fix checked into the tip.  This bug seems to have been
introduced in NSS 3.5.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.6

    
  

        Attachment #97367 -
        Flags: review+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: