Closed Bug 336992 Opened 18 years ago Closed 18 years ago

crash [@ pk11_DoKeys] "arg" Pointer dereferenced before NULL check

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.11
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.2

People

(Reporter: timeless, Assigned: alvolkov.bgs)

References

(
URL
)

Details

(Keywords: coverity, crash, Whiteboard: [CID 312])

Crash Data

Attachments

(1 file)

look before leaping
926 bytes, patch
nelson
: review+
wtc
: review+
Details | Diff | Splinter Review 
 
Assignee: nobody → timeless
Status: NEW → ASSIGNED

        Attachment #221197 -
        Flags: review?(nelson)

    
    

    
  
I'm surprised this is listed as "crash" and not as "useless NULL check" or 
even "dead code".  

An inspection of the code shows that there is only one path into pk11_DoKeys,
PK11_TraversePrivateKeysInSlot calls PK11_TraverseSlot passing pk11_DoKeys
and the non-null stack address of a data structure to it.  PK11_TraverseSlot
then calls pk11_DoKeys with that structure address, which cannot be NULL.

So, I'm downgrading the severity to "trivial".  
Severity: critical → trivial
OS: Linux → All
Priority: -- → P3
Hardware: PC → All

    
    

    
  
Comment on attachment 221197 [details] [diff] [review]
look before leaping

r=nelson

>     pk11KeyCallback *keycb = (pk11KeyCallback *) arg;
>+    if (!arg) {

Should set an error code here.  But caller will ignore it.

>+        return SECFailure;
>+    }

        Attachment #221197 -
        Flags: review?(nelson) → review+
Target Milestone: --- → 3.11.2

    
  
Assignee: timeless → alexei.volkov.bugs
Status: ASSIGNED → NEW

    
    

    
  
trunk
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v  <--  pk11akey.c
new revision: 1.14; previous revision: 1.13

3.11 branch
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v  <--  pk11akey.c
new revision: 1.9.2.4; previous revision: 1.9.2.3

Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 221197 [details] [diff] [review]
look before leaping

r=wtc.

>     pk11KeyCallback *keycb = (pk11KeyCallback *) arg;
>+    if (!arg) {
>+        return SECFailure;
>+    }

I would test 'keycb' instead of 'arg' here.

        Attachment #221197 -
        Flags: review+

    
    

    
  
CID 312
Whiteboard: [CID 312]
Crash Signature: [@ pk11_DoKeys]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: