Closed
Bug 168368
Opened 22 years ago
Closed 22 years ago
Uninitialized memory read in CERT_CreateRDN
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.6
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file)
1.23 KB,
patch
|
Details | Diff | Splinter Review |
Purify reported this UMR in CERT_CreateRDN:
[W] UMR: Uninitialized memory read in CERT_CreateRDN {12 occurrences}
Reading 4 bytes from 0x0a30e3b0 (4 bytes at 0x0a30e3b0 uninitialized)
Address 0x0a30e3b0 points into a thread's stack
Thread ID: 0x668
Error location
CERT_CreateRDN [secname.c:322]
/* Count number of avas going into the rdn */
count = 1;
va_start(ap, ava0);
=> while ((ava = va_arg(ap, CERTAVA*)) != 0) {
count++;
}
va_end(ap);
This is a serious problem. CERT_CreateRDN will walk through
the stack reading whatever happens to be there until it finds
four 0 bytes.
There is one call to CERT_CreateRDN in secname.c that looks
like this:
trdn = CERT_CreateRDN(arena, 0);
where CERT_CreateRDN has this prototype:
CERTRDN *
CERT_CreateRDN(PRArenaPool *arena, CERTAVA *ava0, ...);
The way CERT_CreateRDN is implemented the caller is required
to pass in a non-NULL CERTAVA in order to avoid reading
unitialized stack data.
There are two ways to fix this UMR.
1. Do not call CERT_CreateRDN with a NULL 'ava0' argument.
2. CERT_CreateRDN should not call va_arg if 'ava0' is NULL.
Assignee | ||
Comment 1•22 years ago
|
||
CERT_CreateRDN should not call va_arg if 'ava0' is NULL.
Assignee | ||
Comment 2•22 years ago
|
||
In the interest of time, I've checked in the patch.
Your review is still welcome.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.6
You need to log in
before you can comment on or make changes to this bug.
Description
•