Closed Bug 336995 Opened 19 years ago Closed 19 years ago

Coverity crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.11
Platform:
All
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.2

People

(Reporter: timeless, Assigned: nelson)

References

(
URL
)

Details

(Keywords: coverity, crash, Whiteboard: FIPS [CIDs 495 496 497])

Crash Data

Attachments

(1 file, 1 obsolete file)

Add 3 assertions, whose purpose is to silence covreity
2.44 KB, patch
alvolkov.bgs
: review+
wtc
: superreview+
Details | Diff | Splinter Review
The DER_POINTER case null checks, but the DER_INLINE case does not.
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #221198 - Flags: review?(nelson)
Comment on attachment 221198 [details] [diff] [review] look before leaping like the other children r=nelson
Attachment #221198 - Flags: review?(nelson) → review+
Hardware: PC → All
Target Milestone: --- → 3.11.2
Unfortunately there are other instances in this file (I figure I'll try to limit the number of bugs we use to patch similar problems): CID 496 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/derenc.c&rev=1.2&mark=346,353,355-356,371-375,378-379,383,386-387,390,393-394,397,398-399#382 Crash [@ der_encode - DER_encode] Variable "tmpt" tracked as NULL was dereferenced. CID 495 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/derenc.c&rev=1.2&mark=202,206-207,223,227,230-231,235,241-242,245,247,248#200 Crash [@ contents_length] Variable "tmpt" tracked as NULL was dereferenced. If you'd rather new bugs for these, feel free to indicate before the weekend (most likely my patch sprees will be on sundays).
Priority: -- → P2
Timeless, You know what PORT_Assert does (right?) Will PORT_Assert suffice to silence coverity WRT the issued in comment 3 (e.g. PORT_Assert(tmpt != NULL); ) ?
as long as coverity continues to build debug, it should.
taking.
Assignee: timeless → nelson
Status: ASSIGNED → NEW
Attachment #221198 - Flags: review+
Whiteboard: FIPS
I am extremely reluctant to make any last-minute real changes to the DER encoder logic, even (especially!) to silently avoid NULL ptr dereferences. So, I have added 3 PORT_Assert calls here. According to Timeless, these should silence coverity. That is really their only present purpose. Alexei + Wan-Teh, please review.
Attachment #221198 - Attachment is obsolete: true
Attachment #222451 - Flags: superreview?(wtchang)
Attachment #222451 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 222451 [details] [diff] [review] Add 3 assertions, whose purpose is to silence covreity r=wtc. This patch has some gratuitous changes (combining variable declaration and variable assignment into variable declaration with initializer). These changes are a matter of personal preference but make the patch harder to review.
Attachment #222451 - Flags: superreview?(wtchang) → superreview+
Comment on attachment 222451 [details] [diff] [review] Add 3 assertions, whose purpose is to silence covreity r=alexei
Attachment #222451 - Flags: review?(alexei.volkov.bugs) → review+
Checking in derenc.c; new revision: 1.2.28.1; previous revision: 1.2 Checking in derenc.c; new revision: 1.3; previous revision: 1.2
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
CIDs 495 496 497
Whiteboard: FIPS → FIPS [CIDs 495 496 497]
Summary: crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check → Coverity crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check
Crash Signature: [@ header_length - der_encode - DER_encode]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: