Closed Bug 334277 Opened 15 years ago Closed 15 years ago
double free in [@ sftk
_Free Attribute - sftk _Delete Attribute Type]
found by coverity sftk_FreeAttribute sftk_DeleteAttribute sftk_DeleteAttributeType sftk_FreeAttribute sftk_DeleteAttributeType
Severity: blocker → critical
Priority: -- → P2
Target Milestone: --- → 3.11.1
Version: 4.0 → 3.11
Assignee: nobody → alexei.volkov.bugs
Status: NEW → ASSIGNED
Attachment #219649 - Flags: review?(nelson)
Adding Bob to CC list
Comment on attachment 219649 [details] [diff] [review] fix r=relyea.
Attachment #219649 - Flags: review?(nelson) → review+
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: CID 675
should this fix get picked up for the 188.8.131.52 firefox release?
I just did a quick review of the code. All the useds of sftk_DeleteAttributeType() are in pkcs11c.c. In all these cases, the attribute in question is tied to a PKCS #11 session object and is never freed actually freed by the call, so there should be no vulnerability (the attributes are all freed when the object goes away). The fix silences the coverity warning, and would protect against possible future uses of sftk_DeleteAttributeType against other a potential double free. All that being said, it looks like this patch has been in FF for quite a while. FF 184.108.40.206 is on NSS 3.11.4 or 3.11.5 and this fix has been in since 3.11.3 Beta.
FF220.127.116.11 used NSS 3.11.4 (FF18.104.22.168 still NSS 3.10.3 plus some patches) FF22.214.171.124/3 use NSS 3.11.5 (also FF126.96.36.199/11)
Crash Signature: [@ sftk_FreeAttribute - sftk_DeleteAttributeType]
You need to log in before you can comment on or make changes to this bug.