incorrect arena type in JSSL_JavaCertAuthCallback

RESOLVED FIXED in 3.5

Status

RESOLVED FIXED
15 years ago
14 years ago

People

(Reporter: jamie-bugzilla, Assigned: glenbeasley)

Tracking

unspecified

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

15 years ago
There is a hack in NSS whereby PLArenaPool* variables actually point at the data
type PORTArenaPool, which is a wrapper around a PLArenaPool. Since a PLArenaPool
is the first element in the PORTArenaPool struct, a PORTArenaPool* can be cast
to a PLArenaPool*. A PORTArenaPool is allocated, it is returned as a
PLArenaPool*, and then if the PORTArenaPool functionality is required, it is
cast back to a PORTArenaPool.

In JSSL_JavaCertAuthCallback we allocate an arena that is passed to
CERT_VerifyCert. The type we allocate is a PLArenaPool, which is in fact the
type indicated by the header files. However, NSS really expects it to be a
PORTArenaPool, and casts it to a PORTArenaPool* and tries to access memory in
the PORTArenaPool. At this point it is accessing memory that it shouldn't.

The solution is to allocate a PORTArenaPool instead of a PLArenaPool.
(Reporter)

Comment 1

15 years ago
Created attachment 135444 [details] [diff] [review]
proposed patch

This patch allocates a PORTArenaPool instead of a PLArenaPool.
(Reporter)

Comment 2

15 years ago
Created attachment 135447 [details] [diff] [review]
typo: DEFAULT_CHUNKSIZE should be DER_DEFAULT_CHUNKSIZE
Attachment #135444 - Attachment is obsolete: true

Comment 3

15 years ago
Created attachment 135450 [details] [diff] [review]
Proposed patch v3

Changes from the previous patch:
1. Handle the failure of PORT_NewArena.
2. Fixed a memory leak on an error path.  Need to 'goto finish'
to execute the cleanup code before returning.

Jamie, please review.

Updated

15 years ago
Attachment #135447 - Attachment is obsolete: true
(Assignee)

Comment 4

14 years ago
Wan-Teh, I would like to check this in. I checked this fix it in to the
SUN_SECURITY_3_3_BRANCH early this year. 
Assignee: jamie-bugzilla → glen.beasley
(Assignee)

Comment 5

14 years ago
confirmed Wan-teh checked in fix. target milestone set to 4.0 and closing bug. 
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Version: 3.4 → 4.0

Comment 6

14 years ago
This is fixed in JSS 3.5.  (There is a JSS 3.5 release.)
Target Milestone: --- → 3.5
Version: 4.0 → unspecified
You need to log in before you can comment on or make changes to this bug.