Closed Bug 337104 Opened 15 years ago Closed 15 years ago

Coverity OOM Crash [@ ssl2_QualifyCypherSpecs][@ ssl2_ChooseSessionCypher] Variable "ms" tracked as NULL was dereferenced.

Categories

(NSS :: Libraries, defect, P2)

3.11
All
Linux
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.11.2

People

(Reporter: timeless, Assigned: nelson)

Details

(Keywords: coverity, crash, Whiteboard: CIDs 442 443 444)

Crash Data

Attachments

(1 file)

The code assumes that ss->sizeCipherSpecs implies ss->cipherSpecs or that ssl2_ConstructCipherSpecs can safely initialize ss->ciperSpecs

which is false, the function can clearly return SECFailure.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: OOM? Crash [@ ssl2_QualifyCypherSpecs][@ ssl2_ChooseSessionCypher] Variable "ms" tracked as NULL was dereferenced. → OOM Crash [@ ssl2_QualifyCypherSpecs][@ ssl2_ChooseSessionCypher] Variable "ms" tracked as NULL was dereferenced.
Hardware: PC → All
Target Milestone: --- → 3.11.2
Priority: -- → P2
Assignee: nobody → nelson
Timeless, this bug summary claims to be about two functions whose names start
wtih ssl2_, none of which are in the file ssl3con.c.
But the URL given for this bug,
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/ssl3con.c&rev=1.88&mark=1769-1770,1773,1775,1776,1777,1830-1831,1834-1835,1838-1841,1843,1858,1859,1860#1769
is for a function named ssl3_CompressMACEncryptRecord in ssl3con.c

So this begs several questions.  
which of these is this bug really supposed to be about?
Is there another bug for the other one?

I will proceed assuming that this bug is really about the functions named 
in the bug summary (unless that proves to be a dead end).
If you need to file another bug about the URL given above, please do so,
but be sure to explain what's wrong with that URL.
sorry, i'm currently in amsterdam, it's quite possible i lost a bug while trying to file these. even if i weren't, i wouldn't really recall much more about these bugs, although i suppose i could ask coverity what bug# i claimed for the functions in the original summary. i'll see about maybe doing that on tuesday at the earliest :(.
OK, it'a apparent now that the old URL simply had the wrong file name in it.
The new URL is the right one.
This patch fixes two bugs (which were both about the same source file
and even about the same function).
Attachment #222570 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 222570 [details] [diff] [review]
patch for bug 337104 and bug 337105, v1

r=alexei
Attachment #222570 - Flags: review?(alexei.volkov.bugs) → review+
Whiteboard: CID 442 & 443
Checking in sslcon.c; new revision: 1.31;     previous revision: 1.30
Checking in sslcon.c; new revision: 1.28.2.3; previous revision: 1.28.2.2
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Also CID 444
Whiteboard: CID 442 & 443 → CIDs 442 443 444
Summary: OOM Crash [@ ssl2_QualifyCypherSpecs][@ ssl2_ChooseSessionCypher] Variable "ms" tracked as NULL was dereferenced. → Coverity OOM Crash [@ ssl2_QualifyCypherSpecs][@ ssl2_ChooseSessionCypher] Variable "ms" tracked as NULL was dereferenced.
Crash Signature: [@ ssl2_QualifyCypherSpecs] [@ ssl2_ChooseSessionCypher]
You need to log in before you can comment on or make changes to this bug.