Closed Bug 168368 Opened 22 years ago Closed 22 years ago

Uninitialized memory read in CERT_CreateRDN

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(1 file)

Purify reported this UMR in CERT_CreateRDN: [W] UMR: Uninitialized memory read in CERT_CreateRDN {12 occurrences} Reading 4 bytes from 0x0a30e3b0 (4 bytes at 0x0a30e3b0 uninitialized) Address 0x0a30e3b0 points into a thread's stack Thread ID: 0x668 Error location CERT_CreateRDN [secname.c:322] /* Count number of avas going into the rdn */ count = 1; va_start(ap, ava0); => while ((ava = va_arg(ap, CERTAVA*)) != 0) { count++; } va_end(ap); This is a serious problem. CERT_CreateRDN will walk through the stack reading whatever happens to be there until it finds four 0 bytes. There is one call to CERT_CreateRDN in secname.c that looks like this: trdn = CERT_CreateRDN(arena, 0); where CERT_CreateRDN has this prototype: CERTRDN * CERT_CreateRDN(PRArenaPool *arena, CERTAVA *ava0, ...); The way CERT_CreateRDN is implemented the caller is required to pass in a non-NULL CERTAVA in order to avoid reading unitialized stack data. There are two ways to fix this UMR. 1. Do not call CERT_CreateRDN with a NULL 'ava0' argument. 2. CERT_CreateRDN should not call va_arg if 'ava0' is NULL.
Attached patch Proposed patchSplinter Review
CERT_CreateRDN should not call va_arg if 'ava0' is NULL.
In the interest of time, I've checked in the patch. Your review is still welcome.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.6
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: