Closed Bug 265504 Opened 21 years ago Closed 21 years ago

cmsutil core dumps with invalid option set.

Categories

(NSS :: Tools, defect, P2)

Product:
NSS
Component:
Tools
Version:
3.9.3
Platform:
Sun
Solaris
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jason.m.reid, Assigned: julien.pierre)

Details

Attachments

(1 file, 1 obsolete file)

check the ptr before PR_Open
951 bytes, patch
wtc
: review+
Details | Diff | Splinter Review
If cmsutil is not given a file for batch mode, the command core dumps. $ uname -a SunOS onias 5.10 s10_68 sun4u sparc SUNW,Sun-Blade-100 $ /usr/sfw/bin/cmsutil -D -b -i cmsutil: unable to open "Segmentation Fault(coredump) $ file core core: ELF 32-bit MSB core file SPARC Version 1, from 'cmsutil' $ pkginfo -l SUNWtlsu PKGINST: SUNWtlsu NAME: Network Security Services Utilities CATEGORY: system ARCH: sparc VERSION: 3.9.3,REV=2004.07.22.04.51 BASEDIR: / VENDOR: Sun Microsystems, Inc. DESC: Network Security Services Utilities Programs PSTAMP: shame20040722045210 INSTDATE: Sep 24 2004 14:44 HOTLINE: Please contact your local service provider STATUS: completely installed FILES: 21 installed pathnames 3 shared pathnames 4 directories 16 executables 21279 blocks used (approx) I have reproduced this on both SPARC and x86 systems.
Jason, thanks for the report. If you can, in the future, please report the stack of crashes using "dbx <progname core" and the "where" command. In this case the crash is due to lack of validation on the value argument for -i (dbx) where [1] strlen(), at 0xfffffd7fff2aa2b3 [2] _ndoprnt(), at 0xfffffd7fff2d5173 [3] fprintf(), at 0xfffffd7fff2d6042 =>[4] main(argc = 4, argv = 0xfffffd7ffffff788), line 1296 in "cmsutil.c" (dbx) list 1290,1300 1290 } 1291 break; 1292 case 'i': 1293 inFile = PR_Open(optstate->value, PR_RDONLY, 00660); 1294 if (inFile == NULL) { 1295 fprintf(stderr, "%s: unable to open \"%s\" for reading\n", 1296 progName, optstate->value); 1297 exit(1); 1298 } 1299 break; 1300 (dbx) p *optstate *optstate = { option = 'i' value = (nil) internal = 0x43cf30 } (dbx)
Assignee: wchang0222 → julien.pierre.bugs
Priority: -- → P2
Target Milestone: --- → 3.9.4
Attached patch fix coredump on -i without file (obsolete) — Splinter Review
You would think getopt would not provide a NULL ptr in optstate->value given the "i:" definition in the parser which means it requires an argument. sigh. We should probably review all the other arguments, but I only have time to fix this one today.
Attachment #162894 - Flags: review?(saul.edwards.bugs)
Keywords: sun-orion3
Comment on attachment 162894 [details] [diff] [review] fix coredump on -i without file I seem to remember fixing this for some of our other commands... I'm sure this problem is rampant. If the option parser didn't provide the NULL pointer, how else would we know of an error state in PL_GetOpt?
Attachment #162894 - Flags: review?(saul.edwards.bugs) → review+
Saul, thanks for the review. Regarding the 2nd question - the getopt parser call could fail . But I guess we may not know about specific failures then. It sounds like we need to check all the tools that we ship for this problem in 3.10 .
Comment on attachment 162894 [details] [diff] [review] fix coredump on -i without file > case 'i': > inFile = PR_Open(optstate->value, PR_RDONLY, 00660); > if (inFile == NULL) { >- fprintf(stderr, "%s: unable to open \"%s\" for reading\n", >- progName, optstate->value); >+ if (optstate->value) { >+ fprintf(stderr, "%s: unable to open \"%s\" for reading\n", >+ progName, optstate->value); >+ } else { >+ fprintf(stderr, "-i option requires filename argument\n"); >+ } > exit(1); > } > break; You should check for a null optstate->value before the PR_Open call. It is bad to pass a null pointer as the first argument to PR_Open.
Attachment #162894 - Flags: review+ → review?(saul.edwards.bugs)
Attachment #162894 - Attachment is obsolete: true
Thanks, Wan-Teh.
Attachment #162894 - Flags: review?(saul.edwards.bugs)
Comment on attachment 162956 [details] [diff] [review] check the ptr before PR_Open r=wtc.
Attachment #162956 - Flags: review+
checked in to NSS_3_9_BRANCH Checking in cmsutil.c; /cvsroot/mozilla/security/nss/cmd/smimetools/cmsutil.c,v <-- cmsutil.c new revision: 1.48.4.1; previous revision: 1.48 done and the tip Checking in cmsutil.c; /cvsroot/mozilla/security/nss/cmd/smimetools/cmsutil.c,v <-- cmsutil.c new revision: 1.52; previous revision: 1.51 done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: