Closed
Bug 320454
Opened 19 years ago
Closed 19 years ago
Certificates with Combined issuer and serial number lengths greater than 512 bytes crashes any Mozilla app.
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 298906
3.11
People
(Reporter: mehovis, Assigned: wtc)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Generate a certificate that has a long issuer so that the decoded length of the issuer and serial number is greater than 512 bytes. Import that certificate using Thunderbird or Firefox - kablooie! Reproducible: Always Expected Results: Crash is never an option. In security/nss/lib/softoken/lowcert.c rv = nsslowcert_KeyFromIssuerAndSN(NULL, &cert->derIssuer, &cert->serialNumber, &cert->certKey); Inside nsslowcert_KeyFromIssuerAndSN, it calls PORT_ArenaAlloc with that NULL parameter - when the key lenght isn't sufficient. By passing null, it's always assumed that the length of certKey will be enough to handle the combined lenght of derIssuer and seralNumber (currently hardcoded as 512 bytes in pcertt.h where NSSLOWCERTCertificateStr is defined. ) This results in a dereferenced null pointer - no buffer overruns.
Updated•19 years ago
|
Assignee: dveditz → wtchang
Component: Security → Libraries
Product: Mozilla Application Suite → NSS
QA Contact: seamonkey → jason.m.reid
Comment 1•19 years ago
|
||
dupe of bug 298906?
Assignee | ||
Comment 2•19 years ago
|
||
This is a known bug and has been fixed in the latest NSS 3.11 release, which is not yet in any Firefox build. I will add further comments in the original bug report. *** This bug has been marked as a duplicate of 298906 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → 3.11
You need to log in
before you can comment on or make changes to this bug.
Description
•