Use of uninitialized variables on error in ckcapi_getContainer()
Categories
(NSS :: Libraries, defect, P3)
Tracking
(firefox-esr115 wontfix, firefox125 wontfix, firefox126 wontfix, firefox127 fixed)
People
(Reporter: mozillabugs, Assigned: jschanck)
References
Details
(Keywords: reporter-external, sec-other, Whiteboard: [post-critsmash-triage][adv-main127-])
Attachments
(1 file)
ckcapi_getContainer() (nss/lib/ckfw/capi/cobject.c) will use uninitialized variables if UuidCreate() (line 1865) and/or UuidToString() (line 1866) fail.
UuidCreate() can fail if the machine lacks a usable ethernet address (https://learn.microsoft.com/en-us/windows/win32/api/rpcdce/nf-rpcdce-uuidcreate ) , as could happen if the ethernet adapter falls offline for some reason. UuidToString() can fail on OOM of some private pool inside Windows, since you must free its result with RpcStringFree() (https://learn.microsoft.com/en-us/windows/win32/api/rpcdce/nf-rpcdce-uuidtostring ).
These bugs appear latent in Firefox, as this function isn't built into FF v124.0.2. Presumably it can affect other code using NSS.
From FIREFOX_124_0_2_RELEASE:
1855: static char *
1856: ckcapi_getContainer(
1857: CK_RV *pError,
1858: NSSItem *id)
1859: {
1860: RPC_STATUS rstat;
1861: UUID uuid;
1862: char *uuidStr;
1863: char *container;
1864:
1865: rstat = UuidCreate(&uuid);
1866: rstat = UuidToString(&uuid, &uuidStr);
1867:
1868: /* convert it from rcp memory to our own */
1869: container = nssUTF8_Duplicate(uuidStr, NULL);
1870: RpcStringFree(&uuidStr);
1871:
1872: return container;
1873: }
|
Assignee | |
Comment 1•1 year ago
|
||
|
|
Assignee | |
Comment 2•1 year ago
|
||
I suspect that no one has built this code since 2009 (Bug 494302). Let's just delete it.
|
|
Assignee | |
Comment 3•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•