DecodeDBSubjectEntry needs to protect against reading beyond the end of the dbentry

RESOLVED FIXED in 3.8

Status

NSS
Libraries
RESOLVED FIXED
16 years ago
15 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Robert Relyea)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
In lib/softoken/pcertdb.c, function DecodeDBSubjectEntry,
there is no protection against reading beyond the end of
the dbentry.  Therefore, the code is likely to crash if
the data in the dbentry is corrupted.

Throughout the function, we should check that the offset
of the data we want to read is less than dbentry->len
before we read it.
(Assignee)

Comment 1

16 years ago
Needs to be fixed in NSS 3.8.
Target Milestone: --- → 3.8
(Assignee)

Comment 2

15 years ago
Created attachment 115944 [details] [diff] [review]
Check the length validity before we try to reference it.

Don't read beyond the database buffer, even if the record has been corrrupted.
(Assignee)

Updated

15 years ago
Attachment #115944 - Flags: superreview?(jpierre)
Attachment #115944 - Flags: review?(wtc)
(Reporter)

Comment 3

15 years ago
Comment on attachment 115944 [details] [diff] [review]
Check the length validity before we try to reference it.

> 	for (i=0; i < entry->nemailAddrs; i++) {
>-	    int nameLen = tmpbuf[0] << 8 | tmpbuf[1];
>+	    int nameLen;
>+	    if (tmpbuf + 2 >= end) {
>+		goto loser;
>+	    }

This check should say "tmpbuf +1 >= end" or "tmpbuf +2 > end".
Attachment #115944 - Flags: review?(wtc) → review-
(Assignee)

Comment 4

15 years ago
Fix checked into trunk.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Updated

15 years ago
Attachment #115944 - Flags: superreview?(jpierre)
You need to log in before you can comment on or make changes to this bug.