Closed
Bug 304361
Opened 19 years ago
Closed 18 years ago
smime: possible memory corruption when encoding/decoding smime_encryptionkeypref_template
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.3
People
(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)
Details
Attachments
(1 file)
1.26 KB,
patch
|
nelson
:
review+
julien.pierre
:
superreview+
|
Details | Diff | Splinter Review |
File nss/lib/smime/smimeutil.c
The following template has two choice template entries that
has the same "selector" values. As a result, if choice #2
(that corresponds to NSSCMSRecipientKeyIdentifierTemplate) get encoded,
the encoder tries to work with data that related to CERT_IssuerAndSNTemplate
(id.issuerAndSN pointer) and ends up reading data from uninitialized pointer.
NSSSMIMEEncryptionKeyPref_IssuerSN in second choice should be replaced
with NSSSMIMEEncryptionKeyPref_RKeyID.
static const SEC_ASN1Template smime_encryptionkeypref_template[] = {
{ SEC_ASN1_CHOICE,
offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL,
sizeof(NSSSMIMEEncryptionKeyPreference) },
{ SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN),
SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
NSSSMIMEEncryptionKeyPref_IssuerSN },
{ SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1,
offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID),
NSSCMSRecipientKeyIdentifierTemplate,
NSSSMIMEEncryptionKeyPref_IssuerSN },
{ SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID),
SEC_ASN1_SUB(SEC_OctetStringTemplate),
NSSSMIMEEncryptionKeyPref_SubjectKeyID },
{ 0, }
};
Assignee | ||
Updated•19 years ago
|
Summary: smime: possible memory corruption when encoding/decoding smime_encryptionkeypref_template → smime: possible memory corruption when encoding/decoding smime_encryptionkeypref_template
Assignee | ||
Comment 1•19 years ago
|
||
The template is used by smimeutil.c:NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs and
smimeutil.c:NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference to store or
retrieve certificate(key) using issuerAndSN, recipient key ID, or subject key ID.
The only implemented option today issuerAndSN.
Others are yet to be implemented. This is the reason the problem was not
seen/reported before.
Template is local to the smimeutil.c. Should be no problem fixing it as suggested.
Assignee | ||
Comment 2•19 years ago
|
||
Attachment #193088 -
Flags: review?(nelson)
Comment 3•19 years ago
|
||
Comment on attachment 193088 [details] [diff] [review]
Patch replaces NSSSMIMEEncryptionKeyPref_IssuerSN with NSSSMIMEEncryptionKeyPref_RKeyID
Looks right to me. Please check it in on the trunk.
Attachment #193088 -
Flags: review?(nelson) → review+
Updated•19 years ago
|
Priority: -- → P2
Target Milestone: --- → 3.11
Comment 4•19 years ago
|
||
Alexei, please check this in today.
Updated•19 years ago
|
QA Contact: jason.m.reid → libraries
Updated•19 years ago
|
Target Milestone: 3.11 → 3.11.1
Assignee | ||
Comment 5•18 years ago
|
||
Comment on attachment 193088 [details] [diff] [review]
Patch replaces NSSSMIMEEncryptionKeyPref_IssuerSN with NSSSMIMEEncryptionKeyPref_RKeyID
I've lost track of this bug. Asking for second review to integrate to 3.11 branch.
Attachment #193088 -
Flags: superreview?(julien.pierre.bugs)
Updated•18 years ago
|
Attachment #193088 -
Flags: superreview?(julien.pierre.bugs) → superreview+
Assignee | ||
Comment 6•18 years ago
|
||
tip:
/cvsroot/mozilla/security/nss/lib/smime/smimeutil.c,v <-- smimeutil.c
new revision: 1.18; previous revision: 1.17
3.11 branch:
/cvsroot/mozilla/security/nss/lib/smime/smimeutil.c,v <-- smimeutil.c
new revision: 1.16.28.4; previous revision: 1.16.28.3
Updated•18 years ago
|
Target Milestone: 3.11.1 → 3.11.3
Assignee | ||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•