Closed
Bug 334185
Opened 18 years ago
Closed 17 years ago
double free in HandshakeCallback if CERT_GetOrgName fails
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: timeless, Assigned: KaiE)
References
()
Details
(Keywords: coverity, Whiteboard: [sg:investigate])
Attachments
(1 file, 2 obsolete files)
4.54 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
Updated•18 years ago
|
Group: security
Whiteboard: [sg:critical?]
Assignee: kengert → timeless
Status: NEW → ASSIGNED
Attachment #218646 -
Flags: superreview?(bzbarsky)
Attachment #218646 -
Flags: review?(kengert)
Comment 2•18 years ago
|
||
I don't follow. The comment and assert seem clear; are they wrong?
Assignee | ||
Comment 3•18 years ago
|
||
Comment on attachment 218646 [details] [diff] [review] don't double destroy signer The double free case is: - signer could be allocated - caName could not be allocated In this case caName will be set to point to the same memory as signer. The existing code will free caName == signer, and again free signer at the end of the routine.
Attachment #218646 -
Flags: review?(kengert) → review+
Comment 4•18 years ago
|
||
Comment on attachment 218646 [details] [diff] [review] don't double destroy signer In that case we should fix the comment and remove the assert.
Attachment #218646 -
Flags: superreview?(bzbarsky) → superreview-
Comment 5•17 years ago
|
||
should this still be sg:critical?
Comment 6•17 years ago
|
||
Kai: is this a bug or not? Boris points out the inconsistency between the comment and the code change. If we need this please fix the comment and shepherd this in.
Assignee: timeless → kengert
Status: ASSIGNED → NEW
Flags: blocking1.9?
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Updated•17 years ago
|
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:critical?] → [sg:investigate] need answer from Kai
Assignee | ||
Comment 7•17 years ago
|
||
Let's get this right. First, this code is a nightmare. It's difficult to read and understand. I will propose a patch that makes it all more obvious. But before I do, let me explain the comment and the assertion. The existing code plays games with pointer variable caName. It may point to a string that must get freed, or a string that must not get free. The comment (that Boris complains about) is meant to make it easier to understand the code. The means: If caName points to a string equal to "RSA...", then caName must origin from CERT_GetOrgName. caName can not be signer. Because signer would be a X.509 name, where all parts are prefixed. Because caName is equal to "RSA...", it does not start with "O=RSA...". But if the caName had its origin in signer, then the string would have to look like "O=RSA...". So the code concludes it can not be signer, it must origin from CERT_GetOrgName (which we no longer need) and its therefore safe to free the current caName pointer. Having read this in more detail, and assuming the comment is right, this crash is purely hypothetical. Because if we are sure that caName has its origin in CERT_GetOrgName, it obviously got allocated... I propose we avoid future confusion about this code. I will attach a patch that makes it more obvious. I don't want to proof whether the assumption about a O= prefix is right. I propose we change the comment into a hint that "probably" caName has its origin in CERT_GetOrgName, and remove the statement about freeing memory, and remove the assertion. Timeless, did you actually run into this crash?
Assignee | ||
Comment 8•17 years ago
|
||
Attachment #218646 -
Attachment is obsolete: true
Attachment #265672 -
Flags: superreview?(bzbarsky)
Attachment #265672 -
Flags: review?
Assignee | ||
Updated•17 years ago
|
Attachment #265672 -
Flags: review? → review?(timeless)
Comment 9•17 years ago
|
||
Comment on attachment 265672 [details] [diff] [review] Patch v2 >Index: mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp >+ // In this case, caName should have its origin in certOrgName. >+ // The signer string would be at minimal "O=RSA Data Security, Inc". Why does any of that matter? In this case we just repoint our pointer; what do we care where it comes from? > caName = PL_strdup("Verisign, Inc."); fwiw, if we just make this a string constant instead of calling strdup, can't we just drop verisignName altogeter? sr=bzbarsky with the nits addressed.
Attachment #265672 -
Flags: superreview?(bzbarsky) → superreview+
Assignee | ||
Comment 10•17 years ago
|
||
- Comment removed - strdup eliminated - converted verisign name into a constant string
Attachment #265672 -
Attachment is obsolete: true
Attachment #265729 -
Flags: review?(rrelyea)
Attachment #265672 -
Flags: review?(timeless)
Comment 11•17 years ago
|
||
Comment on attachment 265729 [details] [diff] [review] Patch v3 r+ The new code is much easier to prove correct. bob
Attachment #265729 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 12•17 years ago
|
||
Patch checked in to trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [sg:investigate] need answer from Kai → [sg:investigate]
Updated•16 years ago
|
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Comment 13•15 years ago
|
||
Fixed on trunk, worth backporting to the 1.8 branch?
Flags: wanted1.8.1.x?
Flags: blocking1.9?
Flags: blocking1.8.1.next?
Updated•15 years ago
|
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next?
Updated•11 years ago
|
Group: core-security
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•