Closed Bug 334277 Opened 19 years ago Closed 19 years ago

double free in [@ sftk_FreeAttribute - sftk_DeleteAttributeType]

Categories

(NSS :: Libraries, defect, P2)

3.11
All
Linux
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.11.1

People

(Reporter: timeless, Assigned: alvolkov.bgs)

References

()

Details

(4 keywords, Whiteboard: CID 675)

Crash Data

Attachments

(1 file)

found by coverity sftk_FreeAttribute sftk_DeleteAttribute sftk_DeleteAttributeType sftk_FreeAttribute sftk_DeleteAttributeType
Assignee: kengert → nobody
Severity: blocker → critical
Priority: -- → P2
Target Milestone: --- → 3.11.1
Version: 4.0 → 3.11
Hardware: PC → All
Attached patch fixSplinter Review
Assignee: nobody → alexei.volkov.bugs
Status: NEW → ASSIGNED
Attachment #219649 - Flags: review?(nelson)
Adding Bob to CC list
Comment on attachment 219649 [details] [diff] [review] fix r=relyea.
Attachment #219649 - Flags: review?(nelson) → review+
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
CID 675
Whiteboard: CID 675
should this fix get picked up for the 2.0.0.4 firefox release?
Flags: blocking1.8.1.4?
I just did a quick review of the code. All the useds of sftk_DeleteAttributeType() are in pkcs11c.c. In all these cases, the attribute in question is tied to a PKCS #11 session object and is never freed actually freed by the call, so there should be no vulnerability (the attributes are all freed when the object goes away). The fix silences the coverity warning, and would protect against possible future uses of sftk_DeleteAttributeType against other a potential double free. All that being said, it looks like this patch has been in FF for quite a while. FF 2.0.0.3 is on NSS 3.11.4 or 3.11.5 and this fix has been in since 3.11.3 Beta.
FF2.0.0.1 used NSS 3.11.4 (FF1.5.0.9 still NSS 3.10.3 plus some patches) FF2.0.0.2/3 use NSS 3.11.5 (also FF1.5.0.10/11)
Flags: blocking1.8.1.4?
Group: security
Crash Signature: [@ sftk_FreeAttribute - sftk_DeleteAttributeType]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: