Closed Bug 337495 Opened 15 years ago Closed 15 years ago

Coverity Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c)

Categories

(NSS :: Libraries, defect, P2)

3.11
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.11.2

People

(Reporter: kherron+mozilla, Assigned: alvolkov.bgs)

References

()

Details

(Keywords: coverity, Whiteboard: [CID 944])

Attachments

(2 files)

This is coverity CID 944. Please refer to the sample URL. At line 339, |derDest.data| is freed. If the test on line 340 succeeds, execution branches to line 346 where |derDest.data| is freed again a few lines later.
Whiteboard: [good first bug]
Target Milestone: --- → 3.11.2
Yup, it's a double-free allright.  
Severity: normal → critical
Priority: -- → P2
Version: unspecified → 3.11
Assignee: nobody → alexei.volkov.bugs
Attached patch fixSplinter Review
Attachment #222750 - Flags: review?(nelson)
Comment on attachment 222750 [details] [diff] [review]
fix

This code could surely use some comments, and some variables should be 
renamed.  For example, derDest should be derTemp, because it is NOT the
destination, but only a temporary holder.  

But this patch appears to correctly fix the bug it targets.
r=nelson
Attachment #222750 - Flags: review?(nelson) → review+
Bug fix integration:
trunk:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.5; previous revision: 1.4

3.11 branch:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.3.28.2; previous revision: 1.3.28.1
Attached patch variable renameSplinter Review
Attachment #222949 - Flags: review?(nelson)
Comment on attachment 222949 [details] [diff] [review]
variable rename

r=nelson
Attachment #222949 - Flags: review?(nelson) → review+
second patch integration:
trunk:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.6; previous revision: 1.5

3.11 branch:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.3.28.3; previous revision: 1.3.28.2
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
CID 944
Whiteboard: [good first bug] → [CID 944]
Summary: Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c) → Coverity Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c)
You need to log in before you can comment on or make changes to this bug.