Closed
Bug 336477
Opened 19 years ago
Closed 19 years ago
Coverity CERT_UncacheCRL variable named "returned" is not freed if !removed
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.2
People
(Reporter: timeless, Assigned: julien.pierre)
References
()
Details
(Keywords: coverity, memory-leak, Whiteboard: CID 415)
Attachments
(2 files, 2 obsolete files)
|
903 bytes,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
|
2.03 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
this might not be a particularly reachable case, but the codepath seems to mostly exist to allow it.
|
||
Updated•19 years ago
|
Hardware: PC → All
Target Milestone: --- → 3.11.2
|
|
||
Updated•19 years ago
|
Summary: CERT_UncacheCRL Variable "returned" not freed if !removed → CERT_UncacheCRL variable named "returned" is not freed if !removed
|
|
||
Comment 2•19 years ago
|
||
Comment on attachment 221176 [details] [diff] [review]
hopefully i'm patching a leak instead of making a double free
The variable named "returned" has gone out of scope before the point where this patch attempts to free it.
Attachment #221176 -
Flags: review?(nelson) → review-
|
|
||
Updated•19 years ago
|
Priority: -- → P2
|
|
Assignee | |
Comment 3•19 years ago
|
||
Thanks for the bug report, timeless. This is a leak. The function to call to destroy a CachedCrl is CachedCrl_Destroy . It should be done unconditionally in CERT_UncacheCRL if CachedCrl_Create succeeded .
|
|
||
Updated•19 years ago
|
Assignee: timeless → alexei.volkov.bugs
Status: ASSIGNED → NEW
|
|
||
Updated•19 years ago
|
Assignee: alexei.volkov.bugs → nelson
|
|
Assignee | |
Updated•19 years ago
|
Assignee: nelson → julien.pierre.bugs
|
|
Assignee | |
Comment 4•19 years ago
|
||
Attachment #221176 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•19 years ago
|
Attachment #221863 -
Flags: review?(nelson)
|
|
||
Comment 5•19 years ago
|
||
Comment on attachment 221863 [details] [diff] [review]
proper fix
r=nelson
Attachment #221863 -
Flags: review?(nelson) → review+
|
|
Assignee | |
Comment 6•19 years ago
|
||
Thanks for the review, Nelson.
Checked in to NSS_3_11_BRANCH :
Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v <-- crl.c
new revision: 1.49.24.1; previous revision: 1.49
done
And tip :
Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v <-- crl.c
new revision: 1.50; previous revision: 1.49
done
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 7•19 years ago
|
||
Julien, a problem with your patch "proper fix" is
that the old value of 'rv' set by a failed
CachedCrl_Compare call inside the for loop will be
lost if the CachedCrl_Destroy call succeeds.
|
|
||
Comment 8•19 years ago
|
||
Yeah, I noticed that in review, but figured Julien must have believed
that's OK. Reopening to ask Julien about this.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 9•19 years ago
|
||
I wish you had given me this feedback during the review.
The only return value that could be lost was from CachedCrl_Compare, which is not very likely to happen, so the problem was minor.
But I found that the code wasn't checking the return from DPCache_RemoveCRL . This is more serious.
This incremental patch fixes both issues.
Attachment #222132 -
Flags: review?(nelson)
|
|
Assignee | |
Updated•19 years ago
|
Attachment #222132 -
Flags: superreview?(wtchang)
|
|
||
Comment 10•19 years ago
|
||
Comment on attachment 222132 [details] [diff] [review]
better fix
This makes sense to me.
r=nelson
Attachment #222132 -
Flags: review?(nelson) → review+
|
|
||
Comment 11•19 years ago
|
||
Comment on attachment 222132 [details] [diff] [review]
better fix
r=wtc.
This function has the following near the end:
if (PR_TRUE != removed)
{
rv = SECFailure;
}
...
if (PR_TRUE != removed)
{
PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
}
I'm wondering if these two should be combined. Also,
the PORT_SetError call may overwrite the existing error
code. So I'm wondering if these should be written as:
if (SECSuccess == rv && PR_TRUE != removed)
{
rv = SECFailure;
PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
}
Attachment #222132 -
Flags: superreview?(wtchang) → superreview+
|
|
Assignee | |
Comment 12•19 years ago
|
||
Wan-Teh,
Your last suggestion makes sense, so I added it to this patch.
Also, we weren't checking the status of SEC_DestroyCrl . This patch does.
Attachment #222132 -
Attachment is obsolete: true
Attachment #223257 -
Flags: review?(nelson)
|
|
||
Comment 13•19 years ago
|
||
Comment on attachment 223257 [details] [diff] [review]
hopefully the last patch
r=nelson, with one proviso. This too-long line needs to be wrapped.
I suggest putting the comment on a separate line inside the basic block.
>+ if (SECSuccess != SEC_DestroyCrl(oldcrl) ) { /* need to do this because object is refcounted */
>+ rv = SECFailure;
Attachment #223257 -
Flags: review?(nelson) → review+
|
|
Assignee | |
Comment 14•19 years ago
|
||
Checked in to the tip :
Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v <-- crl.c
new revision: 1.52; previous revision: 1.51
done
And to NSS_3_11_BRANCH :
Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v <-- crl.c
new revision: 1.49.24.3; previous revision: 1.49.24.2
done
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
|
|
||
Updated•19 years ago
|
Summary: CERT_UncacheCRL variable named "returned" is not freed if !removed → Coverity CERT_UncacheCRL variable named "returned" is not freed if !removed
You need to log in
before you can comment on or make changes to this bug.
Description
•