Closed Bug 330900 Opened 14 years ago Closed 14 years ago
Crypto::Generate CRMFRequest reads past end of array when given 2 args
Marking this security-sensitive mainly because I discovered it while looking at bug 330897, and the reverse is therefore also reasonably likely, not because I think it's exploitable (although it's possible that it is, although I think unlikely). nsCrypto::GenerateCRMFRequest intends to allow a number of arguments that is 5, 8, 11, 14, etc. But it doesn't give an error if it's given 2 arguments, which could cause it to read past the end of an array. I haven't tried writing a testcase for this yet, though.
I guess this would also fix bug 327524, right?
Comment on attachment 215468 [details] [diff] [review] patch r=kengert Thanks for the patch. The documentation for this function is here: http://developer.mozilla.org/en/docs/generateCRMFRequest Note that calling this function does not make much sense if one supplies 5 parameters, the smallest amount of reasonable parameters is 8. The documentation page requests that after the first 5 params, there must be "one or more sets" of additional params. So I think it's ok if we require to supply at least 8 params.
Attachment #215468 - Flags: review+
Attachment #215468 - Flags: approval-branch-1.8.1?(kengert)
Attachment #215468 - Flags: superreview?(jst)
Attachment #215468 - Flags: approval-branch-1.8.1?(kengert) → approval-branch-1.8.1+
Comment on attachment 215468 [details] [diff] [review] patch sr=jst
Attachment #215468 - Flags: superreview?(jst) → superreview+
Fix checked in to trunk and MOZILLA_1_8_BRANCH.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attachment #215468 - Flags: approval18.104.22.168?
Not sure the severity here. I suppose it depends on where the data beyond the array comes from (user controlled?).
kaie: can you explain how this problem could be exploited? thanks!
Comment on attachment 215468 [details] [diff] [review] patch approved for 1.8.0 branch, a=dveditz for drivers
Attachment #215468 - Flags: approval22.214.171.124? → approval126.96.36.199+
Fix checked in to MOZILLA_1_8_0_BRANCH.
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20060420 Firefox/184.108.40.206, based on code inspection and comments in this bug. Adding [need testcase]. If anyone does get a testcase together, we can test to double check the fix.
Bug 327524 has a testcase that is fixed by this patch.
could you backport this patch to firefox 1.0.x branch please ? I can confirm it fixes crash from testcase in bug #327524.
You need to log in before you can comment on or make changes to this bug.