Closed Bug 330900 Opened 14 years ago Closed 14 years ago

nsCrypto::GenerateCRMFRequest reads past end of array when given 2 args


(Core :: Security: PSM, defect)

Not set





(Reporter: dbaron, Assigned: KaiE)


(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:low][need testcase])


(1 file)

Marking this security-sensitive mainly because I discovered it while looking at bug 330897, and the reverse is therefore also reasonably likely, not because I think it's exploitable (although it's possible that it is, although I think unlikely).

nsCrypto::GenerateCRMFRequest intends to allow a number of arguments that is 5, 8, 11, 14, etc.  But it doesn't give an error if it's given 2 arguments, which could cause it to read past the end of an array.

I haven't tried writing a testcase for this yet, though.
I guess this would also fix bug 327524, right?
Comment on attachment 215468 [details] [diff] [review]


Thanks for the patch.

The documentation for this function is here:

Note that calling this function does not make much sense if one supplies 5 parameters, the smallest amount of reasonable parameters is 8.

The documentation page requests that after the first 5 params, there must be "one or more sets" of additional params.

So I think it's ok if we require to supply at least 8 params.
Attachment #215468 - Flags: review+
Attachment #215468 - Flags: approval-branch-1.8.1?(kengert)
Attachment #215468 - Flags: superreview?(jst)
Attachment #215468 - Flags: approval-branch-1.8.1?(kengert) → approval-branch-1.8.1+
Comment on attachment 215468 [details] [diff] [review]

Attachment #215468 - Flags: superreview?(jst) → superreview+
Fix checked in to trunk and MOZILLA_1_8_BRANCH.
Closed: 14 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Attachment #215468 - Flags: approval1.8.0.3?
Not sure the severity here. I suppose it depends on where the data beyond the array comes from (user controlled?).
Flags: blocking1.8.0.3+
Whiteboard: [sg:moderate?]
kaie: can you explain how this problem could be exploited?  thanks!
This bug occurrs when using the function with an invalid number of parameters.

This function is not called from within our own code, but only if a web page calls it.

I don't know how a web site page can influence the data past the array, will it just read the bytes that follow the javascript code in the web page?
Comment on attachment 215468 [details] [diff] [review]

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #215468 - Flags: approval1.8.0.3? → approval1.8.0.3+
Whiteboard: [sg:moderate?] → [sg:low]
Fix checked in to MOZILLA_1_8_0_BRANCH.
Keywords: fixed1.8.0.3
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv: Gecko/20060420 Firefox/, based on code inspection and comments in this bug.

Adding [need testcase].  If anyone does get a testcase together, we can test to double check the fix.
Whiteboard: [sg:low] → [sg:low][need testcase]
Bug 327524 has a testcase that is fixed by this patch.
could you backport this patch to firefox 1.0.x branch please ?

I can confirm it fixes crash from testcase in bug #327524.
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Group: security
You need to log in before you can comment on or make changes to this bug.