Closed Bug 225626 Opened 21 years ago Closed 20 years ago

incorrect arena type in JSSL_JavaCertAuthCallback

Categories

(JSS Graveyard :: Library, defect)

Product:
JSS Graveyard
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jamie-bugzilla, Assigned: glenbeasley)

Details

Attachments

(1 file, 2 obsolete files)

Proposed patch v3
1.21 KB, patch
Details | Diff | Splinter Review 
There is a hack in NSS whereby PLArenaPool* variables actually point at the data
type PORTArenaPool, which is a wrapper around a PLArenaPool. Since a PLArenaPool
is the first element in the PORTArenaPool struct, a PORTArenaPool* can be cast
to a PLArenaPool*. A PORTArenaPool is allocated, it is returned as a
PLArenaPool*, and then if the PORTArenaPool functionality is required, it is
cast back to a PORTArenaPool.

In JSSL_JavaCertAuthCallback we allocate an arena that is passed to
CERT_VerifyCert. The type we allocate is a PLArenaPool, which is in fact the
type indicated by the header files. However, NSS really expects it to be a
PORTArenaPool, and casts it to a PORTArenaPool* and tries to access memory in
the PORTArenaPool. At this point it is accessing memory that it shouldn't.

The solution is to allocate a PORTArenaPool instead of a PLArenaPool.
Attached patch proposed patch (obsolete) — Splinter Review 
This patch allocates a PORTArenaPool instead of a PLArenaPool.

        Attachment #135444 -
        Attachment is obsolete: true

    
    

    
  


  
Changes from the previous patch:
1. Handle the failure of PORT_NewArena.
2. Fixed a memory leak on an error path.  Need to 'goto finish'
to execute the cleanup code before returning.

Jamie, please review.

    
  

        Attachment #135447 -
        Attachment is obsolete: true

    
    

    
  
Wan-Teh, I would like to check this in. I checked this fix it in to the
SUN_SECURITY_3_3_BRANCH early this year. 
Assignee: jamie-bugzilla → glen.beasley

    
    

    
  
confirmed Wan-teh checked in fix. target milestone set to 4.0 and closing bug. 
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Version: 3.4 → 4.0

    
    

    
  
This is fixed in JSS 3.5.  (There is a JSS 3.5 release.)
Target Milestone: --- → 3.5
Version: 4.0 → unspecified

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: