Closed
Bug 338352
Opened 19 years ago
Closed 19 years ago
Coverity Leak and OOM crash in PK11_PubDeriveWithKDF (security/nss/lib/pk11wrap/pk11skey.c)
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.2
People
(Reporter: kherron+mozilla, Assigned: nelson)
References
()
Details
(Keywords: coverity, crash, Whiteboard: CID 317)
Attachments
(2 files)
|
4.57 KB,
patch
|
rrelyea
:
review+
alvolkov.bgs
:
review+
wtc
:
superreview+
|
Details | Diff | Splinter Review |
|
7.43 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
This is coverity CID 317. Please see the sample URL. The allocation into |mechParams| at line 1710 leaks if the test on the next line succeeds.
Additionally, it looks like |PORT_ZNew| is just a wrapper around |PR_Calloc| which can fail and return null, but there's no check for that here.
|
Assignee | |
Comment 1•19 years ago
|
||
To be consistent with the other coverity bugs about NULL pointer dereferences
this bug should be critical.
Taking.
Assignee: nobody → nelson
Severity: minor → critical
Keywords: crash
Priority: -- → P2
Summary: Leak in PK11_PubDeriveWithKDF (security/nss/lib/pk11wrap/pk11skey.c) → Leak and NULL ptr crash in PK11_PubDeriveWithKDF (security/nss/lib/pk11wrap/pk11skey.c)
Target Milestone: --- → 3.11.2
Version: unspecified → 3.11
|
|
Assignee | |
Comment 2•19 years ago
|
||
This patch:
a) plugs the leak
b) eliminates the OOM crash
c) eliminates the unnecessary creation and immediate destruction of a
symkey that occurred for all cases except ecKey. (Did that serve a
useful purpose?)
d) moves all the variable declarations and initializations that are ONLY
used for case ecKey into case ecKey.
Bob, please review
Attachment #222478 -
Flags: review?(rrelyea)
|
|
Assignee | |
Comment 3•19 years ago
|
||
Add requested reviewer to cc list
Summary: Leak and NULL ptr crash in PK11_PubDeriveWithKDF (security/nss/lib/pk11wrap/pk11skey.c) → Leak and OOM crash in PK11_PubDeriveWithKDF (security/nss/lib/pk11wrap/pk11skey.c)
|
|
Assignee | |
Comment 4•19 years ago
|
||
Comment on attachment 222478 [details] [diff] [review]
plug leaks, eiminate unnecessary creation+freeing of symkey, reduce scope of numerous variables
Seeking additional reviewers. Just need one (I think)
Attachment #222478 -
Attachment description: plug leaks, eiminate unnecessary creation+freeing of symkey → plug leaks, eiminate unnecessary creation+freeing of symkey, reduce scope of numerous variables
Attachment #222478 -
Flags: superreview?(wtchang)
Attachment #222478 -
Flags: review?(alexei.volkov.bugs)
|
||
Comment 5•19 years ago
|
||
Comment on attachment 222478 [details] [diff] [review]
plug leaks, eiminate unnecessary creation+freeing of symkey, reduce scope of numerous variables
r=wtc.
Remark 1: This patch reformats all the variable
declarations to a different coding style. I
implore Nelson to resist the urge to make this
kind of changes. It leaves the file in a mixture
of coding styles.
Remark 2: This function can be further improved by
rewriting the switch statement as an if statement:
/* variable declarations in the original ecKey case */
...
if (privKey->keyType != ecKey) {
return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB,
derive, target, operation, keySize, wincx);
}
/*
* the original ecKey case, replacing 'break' with
* 'return NULL'
*/
...
Attachment #222478 -
Flags: superreview?(wtchang) → superreview+
|
|
||
Updated•19 years ago
|
Attachment #222478 -
Flags: review?(alexei.volkov.bugs) → review+
|
|
Assignee | |
Comment 6•19 years ago
|
||
Maybe this patch is clearer than the previous one.
Bob? what do you think?
Attachment #222987 -
Flags: review?(rrelyea)
|
||
Comment 7•19 years ago
|
||
Comment on attachment 222987 [details] [diff] [review]
Alternative patch 2, factor EC case out into separate function
r+ = relyea
both patches are acceptable. This one is preferred.
bob
Attachment #222987 -
Flags: review?(rrelyea) → review+
|
|
||
Comment 8•19 years ago
|
||
Comment on attachment 222478 [details] [diff] [review]
plug leaks, eiminate unnecessary creation+freeing of symkey, reduce scope of numerous variables
r+
Though the other patch is preferred.
Attachment #222478 -
Flags: review?(rrelyea) → review+
|
|
Assignee | |
Comment 9•19 years ago
|
||
Checked in on branch.
Fix leak and OOM crash. Bug 338352. Coverity. r=rrelyea
Checking in pk11skey.c; new revision: 1.108.2.1; previous revision: 1.108
|
|
Assignee | |
Comment 10•19 years ago
|
||
Fix leak and OOM crash. Bug 338352 and 338356. Coverity.
r=rrelyea, alexei.volkov
Checking in pk11skey.c; new revision: 1.109; previous revision: 1.108
Checking in pk11skey.c; new revision: 1.108.2.1; previous revision: 1.108
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
||
Updated•19 years ago
|
Summary: Leak and OOM crash in PK11_PubDeriveWithKDF (security/nss/lib/pk11wrap/pk11skey.c) → Coverity Leak and OOM crash in PK11_PubDeriveWithKDF (security/nss/lib/pk11wrap/pk11skey.c)
You need to log in
before you can comment on or make changes to this bug.
Description
•