Closed Bug 337495 Opened 18 years ago Closed 18 years ago

Coverity Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c)

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.11
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.2

People

(Reporter: kherron+mozilla, Assigned: alvolkov.bgs)

References

(
URL
)

Details

(Keywords: coverity, Whiteboard: [CID 944])

Attachments

(2 files)

fix
948 bytes, patch
nelson
: review+
Details | Diff | Splinter Review
variable rename
5.10 KB, patch
nelson
: review+
Details | Diff | Splinter Review 
This is coverity CID 944. Please refer to the sample URL. At line 339, |derDest.data| is freed. If the test on line 340 succeeds, execution branches to line 346 where |derDest.data| is freed again a few lines later.
Whiteboard: [good first bug]
Target Milestone: --- → 3.11.2
Yup, it's a double-free allright.
Severity: normal → critical
Priority: -- → P2
Version: unspecified → 3.11
Assignee: nobody → alexei.volkov.bugs
Attached patch fixSplinter Review 

        Attachment #222750 -
        Flags: review?(nelson)

    
    

    
  
Comment on attachment 222750 [details] [diff] [review]
fix

This code could surely use some comments, and some variables should be 
renamed.  For example, derDest should be derTemp, because it is NOT the
destination, but only a temporary holder.  

But this patch appears to correctly fix the bug it targets.
r=nelson

        Attachment #222750 -
        Flags: review?(nelson) → review+

    
    

    
  
Bug fix integration:
trunk:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.5; previous revision: 1.4

3.11 branch:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.3.28.2; previous revision: 1.3.28.1


    
    

    
  

      
      
      
      

        Attached patch
          
          
        variable renameSplinter Review
      

    


  

        Attachment #222949 -
        Flags: review?(nelson)

    
    

    
  
Comment on attachment 222949 [details] [diff] [review]
variable rename

r=nelson

        Attachment #222949 -
        Flags: review?(nelson) → review+

    
    

    
  
second patch integration:
trunk:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.6; previous revision: 1.5

3.11 branch:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.3.28.3; previous revision: 1.3.28.2

Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
CID 944
Whiteboard: [good first bug] → [CID 944]

    
  
Summary: Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c) → Coverity Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: