Closed
Bug 336995
Opened 18 years ago
Closed 18 years ago
Coverity crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.2
People
(Reporter: timeless, Assigned: nelson)
References
()
Details
(Keywords: coverity, crash, Whiteboard: FIPS [CIDs 495 496 497])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
2.44 KB,
patch
|
alvolkov.bgs
:
review+
wtc
:
superreview+
|
Details | Diff | Splinter Review |
The DER_POINTER case null checks, but the DER_INLINE case does not.
|
Assignee | |
Comment 2•18 years ago
|
||
Comment on attachment 221198 [details] [diff] [review] look before leaping like the other children r=nelson
Attachment #221198 -
Flags: review?(nelson) → review+
|
|
Assignee | |
Updated•18 years ago
|
Hardware: PC → All
Target Milestone: --- → 3.11.2
Unfortunately there are other instances in this file (I figure I'll try to limit the number of bugs we use to patch similar problems): CID 496 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/derenc.c&rev=1.2&mark=346,353,355-356,371-375,378-379,383,386-387,390,393-394,397,398-399#382 Crash [@ der_encode - DER_encode] Variable "tmpt" tracked as NULL was dereferenced. CID 495 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/derenc.c&rev=1.2&mark=202,206-207,223,227,230-231,235,241-242,245,247,248#200 Crash [@ contents_length] Variable "tmpt" tracked as NULL was dereferenced. If you'd rather new bugs for these, feel free to indicate before the weekend (most likely my patch sprees will be on sundays).
|
|
Assignee | |
Updated•18 years ago
|
Priority: -- → P2
|
|
Assignee | |
Comment 4•18 years ago
|
||
Timeless, You know what PORT_Assert does (right?) Will PORT_Assert suffice to silence coverity WRT the issued in comment 3 (e.g. PORT_Assert(tmpt != NULL); ) ?
|
||
Updated•18 years ago
|
Attachment #221198 -
Flags: review+
|
|
||
Updated•18 years ago
|
Whiteboard: FIPS
|
|
Assignee | |
Comment 7•18 years ago
|
||
I am extremely reluctant to make any last-minute real changes to the DER encoder logic, even (especially!) to silently avoid NULL ptr dereferences. So, I have added 3 PORT_Assert calls here. According to Timeless, these should silence coverity. That is really their only present purpose. Alexei + Wan-Teh, please review.
Attachment #221198 -
Attachment is obsolete: true
Attachment #222451 -
Flags: superreview?(wtchang)
Attachment #222451 -
Flags: review?(alexei.volkov.bugs)
|
||
Comment 8•18 years ago
|
||
Comment on attachment 222451 [details] [diff] [review] Add 3 assertions, whose purpose is to silence covreity r=wtc. This patch has some gratuitous changes (combining variable declaration and variable assignment into variable declaration with initializer). These changes are a matter of personal preference but make the patch harder to review.
Attachment #222451 -
Flags: superreview?(wtchang) → superreview+
|
|
||
Comment 9•18 years ago
|
||
Comment on attachment 222451 [details] [diff] [review] Add 3 assertions, whose purpose is to silence covreity r=alexei
Attachment #222451 -
Flags: review?(alexei.volkov.bugs) → review+
|
|
Assignee | |
Comment 10•18 years ago
|
||
Checking in derenc.c; new revision: 1.2.28.1; previous revision: 1.2 Checking in derenc.c; new revision: 1.3; previous revision: 1.2
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Updated•18 years ago
|
Summary: crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check → Coverity crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check
|
||
Updated•13 years ago
|
Crash Signature: [@ header_length - der_encode - DER_encode]
You need to log in
before you can comment on or make changes to this bug.
Description
•