Last Comment Bug 174468 - PK11_TokenKeyGen's attribute template is too small
: PK11_TokenKeyGen's attribute template is too small
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.6
: All All
: P1 blocker (vote)
: 3.7
Assigned To: Robert Relyea
: Bishakha Banerjee
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-14 18:13 PDT by Jamie Nicolson
Modified: 2002-11-08 11:25 PST (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Increase array size to match largest possible case. (606 bytes, patch)
2002-10-23 16:02 PDT, Robert Relyea
jamie-bugzilla: review+
Details | Diff | Splinter Review

Description Jamie Nicolson 2002-10-14 18:13:05 PDT
The PKCS #11 attribute template in PK11_TokenKeyGen is allocated with 5
elements. It is possible, however, to generate 6 attributes, depending on the
parameters passed in. In this case, the buffer will overflow, and an assertion
will be triggered in debug builds.

The reason this worked before is we used this function with DES and triple-DES,
which don't have a keySize. So that attribute is not added to the template. To
create an AES key, I passed in a keySize of 128, which caused that attribute to
be added to the template, overflowing the buffer.

I'll try to find a workaround for this, but Some People want to be able to
generate AES keys.
Comment 1 Wan-Teh Chang 2002-10-17 11:27:47 PDT
Jamie, do you have a workaround now?  If you don't have
a workaround, it seems that you need a fix sooner than
NSS 3.7, correct?
Comment 2 Jamie Nicolson 2002-10-17 13:12:54 PDT
Our customer can continue using DES3 for a while, so we can wait until 3.7 to
fix this.
Comment 3 Robert Relyea 2002-10-23 16:02:50 PDT
Created attachment 103912 [details] [diff] [review]
Increase array size to match largest possible case.

Good catch. Debug builds will catch the case if the arrays are too small, but
Optimize builds won't.
Comment 4 Jamie Nicolson 2002-10-23 16:14:48 PDT
Comment on attachment 103912 [details] [diff] [review]
Increase array size to match largest possible case.

This fix looks good.
Comment 5 Wan-Teh Chang 2002-10-23 16:34:07 PDT
Comment on attachment 103912 [details] [diff] [review]
Increase array size to match largest possible case.

r=wtc.

By the way, the initial value of 'count' is unused.
We might as well delete the initialization.
Comment 6 Robert Relyea 2002-10-31 15:17:45 PST
patch checked in.
Comment 7 Robert Relyea 2002-11-08 11:25:30 PST
checked into tip.

Note You need to log in before you can comment on or make changes to this bug.