All users were logged out of Bugzilla on October 13th, 2018

Coverity Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c)

RESOLVED FIXED in 3.11.2

Status

P2
critical
RESOLVED FIXED
13 years ago
13 years ago

People

(Reporter: kherron+mozilla, Assigned: alvolkov.bgs)

Tracking

({coverity})

3.11
3.11.2
coverity

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [CID 944], URL)

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
This is coverity CID 944. Please refer to the sample URL. At line 339, |derDest.data| is freed. If the test on line 340 succeeds, execution branches to line 346 where |derDest.data| is freed again a few lines later.
(Reporter)

Updated

13 years ago
Whiteboard: [good first bug]
Target Milestone: --- → 3.11.2
Yup, it's a double-free allright.  
Severity: normal → critical
Priority: -- → P2
Version: unspecified → 3.11
(Assignee)

Updated

13 years ago
Assignee: nobody → alexei.volkov.bugs
(Assignee)

Comment 2

13 years ago
Created attachment 222750 [details] [diff] [review]
fix
Attachment #222750 - Flags: review?(nelson)
Comment on attachment 222750 [details] [diff] [review]
fix

This code could surely use some comments, and some variables should be 
renamed.  For example, derDest should be derTemp, because it is NOT the
destination, but only a temporary holder.  

But this patch appears to correctly fix the bug it targets.
r=nelson
Attachment #222750 - Flags: review?(nelson) → review+
(Assignee)

Comment 4

13 years ago
Bug fix integration:
trunk:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.5; previous revision: 1.4

3.11 branch:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.3.28.2; previous revision: 1.3.28.1
(Assignee)

Comment 5

13 years ago
Created attachment 222949 [details] [diff] [review]
variable rename
Attachment #222949 - Flags: review?(nelson)
Comment on attachment 222949 [details] [diff] [review]
variable rename

r=nelson
Attachment #222949 - Flags: review?(nelson) → review+
(Assignee)

Comment 7

13 years ago
second patch integration:
trunk:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.6; previous revision: 1.5

3.11 branch:
/cvsroot/mozilla/security/nss/lib/crmf/crmfpop.c,v  <--  crmfpop.c
new revision: 1.3.28.3; previous revision: 1.3.28.2
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
CID 944
Whiteboard: [good first bug] → [CID 944]

Updated

13 years ago
Summary: Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c) → Coverity Double free in CRMF_CertReqMsgSetSignaturePOP (security/nss/lib/crmf/crmfpop.c)
You need to log in before you can comment on or make changes to this bug.