Closed Bug 340018 Opened 15 years ago Closed 15 years ago

Coverity 222 & 223, NSSCKFWC_InitToken passes NULL to nssCKFWToken_Destroy

Categories

(NSS :: Libraries, defect, P2)

3.11.1
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.11.2

People

(Reporter: nelson, Assigned: nelson)

Details

(Keywords: coverity, Whiteboard: [CID 216 217 218 219 220 221 222 223])

Attachments

(1 file)

In NSSCKFWC_InitToken, there are numerous error paths that set variable 
"error" to some non-zero value and then go to loser.   Many of these paths 
have the effect that variable fwToken is NULL when label loser is reached.

At label loser, a switch on the variable "error" will cause fwToken to be
passed to nssCKFWToken_Destroy, which will dereference it.
Coverity CID 220 & CID 221
This same problem is present in NSSCKFWC_GetTokenInfo.

Coverity CID 218 and CID 219
Same problem in  NSSCKFWC_GetMechanismList

Coverity CID 216 & CID 217
Same problem in  NSSCKFWC_GetMechanismInfo

I think the solution in all these functiosn is to change one line of 
duplicated code, as follows:

646  	 loser:
647  	  switch( error ) {

At conditional (3): "error == 50" taking true path

648  	  case CKR_DEVICE_REMOVED:
649  	  case CKR_TOKEN_NOT_PRESENT:
650-  	    (void)nssCKFWToken_Destroy(fwToken);
650+ 	    if (fwToken) (void)nssCKFWToken_Destroy(fwToken);
651  	    break;
Priority: -- → P2
Summary: Coverity 222, NSSCKFWC_InitToken passes NULL to nssCKFWToken_Destroy → Coverity 222 & 223, NSSCKFWC_InitToken passes NULL to nssCKFWToken_Destroy
Target Milestone: --- → 3.11.2
Attached patch patch v1Splinter Review
Bob, please review
Assignee: rrelyea → nelson
Status: NEW → ASSIGNED
Attachment #224832 - Flags: review?(rrelyea)
Attachment #224832 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 224832 [details] [diff] [review]
patch v1

r=alexei.volkov
Attachment #224832 - Flags: review?(alexei.volkov.bugs) → review+
Don't call nssCKFWToken_Destroy with NULL. Bug 340018. r=alexei.volkov
Checking in wrap.c; new revision: 1.13.2.1; previous revision: 1.13
Checking in wrap.c; new revision: 1.15;     previous revision: 1.14
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [CID 216 217 218 219 220 221 222 223]
Comment on attachment 224832 [details] [diff] [review]
patch v1

r+
Attachment #224832 - Flags: review?(rrelyea) → review+
You need to log in before you can comment on or make changes to this bug.