Closed
Bug 336995
Opened 19 years ago
Closed 19 years ago
Coverity crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.2
People
(Reporter: timeless, Assigned: nelson)
References
()
Details
(Keywords: coverity, crash, Whiteboard: FIPS [CIDs 495 496 497])
Crash Data
Attachments
(1 file, 1 obsolete file)
2.44 KB,
patch
|
alvolkov.bgs
:
review+
wtc
:
superreview+
|
Details | Diff | Splinter Review |
The DER_POINTER case null checks, but the DER_INLINE case does not.
Assignee | ||
Comment 2•19 years ago
|
||
Comment on attachment 221198 [details] [diff] [review]
look before leaping like the other children
r=nelson
Attachment #221198 -
Flags: review?(nelson) → review+
Assignee | ||
Updated•19 years ago
|
Hardware: PC → All
Target Milestone: --- → 3.11.2
Unfortunately there are other instances in this file (I figure I'll try to limit the number of bugs we use to patch similar problems):
CID 496
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/derenc.c&rev=1.2&mark=346,353,355-356,371-375,378-379,383,386-387,390,393-394,397,398-399#382
Crash [@ der_encode - DER_encode] Variable "tmpt" tracked as NULL was dereferenced.
CID 495
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/util/derenc.c&rev=1.2&mark=202,206-207,223,227,230-231,235,241-242,245,247,248#200
Crash [@ contents_length] Variable "tmpt" tracked as NULL was dereferenced.
If you'd rather new bugs for these, feel free to indicate before the weekend (most likely my patch sprees will be on sundays).
Assignee | ||
Updated•19 years ago
|
Priority: -- → P2
Assignee | ||
Comment 4•19 years ago
|
||
Timeless, You know what PORT_Assert does (right?)
Will PORT_Assert suffice to silence coverity WRT the issued in comment 3
(e.g. PORT_Assert(tmpt != NULL); ) ?
Updated•19 years ago
|
Attachment #221198 -
Flags: review+
Updated•19 years ago
|
Whiteboard: FIPS
Assignee | ||
Comment 7•19 years ago
|
||
I am extremely reluctant to make any last-minute real changes to the DER
encoder logic, even (especially!) to silently avoid NULL ptr dereferences.
So, I have added 3 PORT_Assert calls here.
According to Timeless, these should silence coverity.
That is really their only present purpose.
Alexei + Wan-Teh, please review.
Attachment #221198 -
Attachment is obsolete: true
Attachment #222451 -
Flags: superreview?(wtchang)
Attachment #222451 -
Flags: review?(alexei.volkov.bugs)
Comment 8•19 years ago
|
||
Comment on attachment 222451 [details] [diff] [review]
Add 3 assertions, whose purpose is to silence covreity
r=wtc. This patch has some gratuitous changes
(combining variable declaration and variable assignment
into variable declaration with initializer). These
changes are a matter of personal preference but make the
patch harder to review.
Attachment #222451 -
Flags: superreview?(wtchang) → superreview+
Comment 9•19 years ago
|
||
Comment on attachment 222451 [details] [diff] [review]
Add 3 assertions, whose purpose is to silence covreity
r=alexei
Attachment #222451 -
Flags: review?(alexei.volkov.bugs) → review+
Assignee | ||
Comment 10•19 years ago
|
||
Checking in derenc.c; new revision: 1.2.28.1; previous revision: 1.2
Checking in derenc.c; new revision: 1.3; previous revision: 1.2
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Summary: crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check → Coverity crash [@ header_length - der_encode - DER_encode] "dtemplate->sub" Pointer dereferenced before NULL check
Updated•13 years ago
|
Crash Signature: [@ header_length - der_encode - DER_encode]
You need to log in
before you can comment on or make changes to this bug.
Description
•