1967826 - Assertion failure: len > 0 && len < ARCFOUR_STATE_SIZE, at ../../lib/freebl/arcfour.c:125

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P5)

Description

[Maurice Dauer [:mdauer]]

Attachment: clusterfuzz-testcase-minimized-pkcs12-5180937115860992

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5180937115860992

Details

The assertion exists since the initial checkin of ARCFour. Interestingly, the case is handled fine immediately afterwards:

    /* verify the key length. */
    PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
    if (len == 0 || len >= ARCFOUR_STATE_SIZE) {
        PORT_SetError(SEC_ERROR_BAD_KEY);
        return SECFailure;
    }

Marking this as security sensitive for now since I'm not sure about the implications of this. Feel free to adjust.

---

To reproduce, perform the following steps:

1. Build NSS with ./build.sh -c --fuzz --disable-tests
2. Run /path/to/dist/Debug/bin/nssfuzz-pkcs12 /path/to/testcase

Comment 1

[Daniel Veditz [:dveditz] back 2026-04-08]

The code follows the assert with actually enforcing the condition in code (len is unsigned) so this isn't a security bug.

Comment 2

[Nikolas Wipper [:nwipper]]

Attachment: Bug 1967826 - remove unneccessary assertion in arcfour.c r=#nss-reviewers

Assert case was handled with an error immediately afterwards.

Comment 3

[Nikolas Wipper [:nwipper]]

Since the assert covers the exact same case as the "proper" check, removing it should be fine, and make the fuzzer happy (no more assert crashes). The patch is on try here which is looking good so far.

Comment 4

[Anna Weine]

https://hg-edge.mozilla.org/projects/nss/rev/9f9b75060ea0db6573af029ac8958b54e620ccb3