Closed Bug 341124 Opened 18 years ago Closed 14 years ago

Coverity 522 Callers of mp_unsigned_octet_size don't check for negative return value

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.11.1
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: timeless)

Details

(Keywords: coverity, Whiteboard: [CID 522 523] FIPS)

Attachments

(1 file, 2 obsolete files)

localized
3.81 KB, patch
timeless
: review+
nelson
: superreview+
Details | Diff | Splinter Review 
mp_unsigned_octet_size can return a negative value.
Freebl functions DH_Derive and KEA_Derive call it and do not check its
return value for a negative number before using it.  
Coverity thinks they should
Priority: -- → P3
Whiteboard: [CID 522 523]
Target Milestone: 3.11.3 → ---
Attached patch proposal (obsolete) — Splinter Review 
Assignee: nobody → timeless
Status: NEW → ASSIGNED

        Attachment #430921 -
        Flags: review?(nelson)

    
    

    
  
Code is inside the FIPS boundary
Whiteboard: [CID 522 523] → [CID 522 523] FIPS

    
    

    
  
Comment on attachment 430921 [details] [diff] [review]
proposal


>     CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
>     /* number of bytes in the derived secret */
>     len = mp_unsigned_octet_size(&ZZ);
>+    if (len <= 0) {
>+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
>+        return SECFailure;
>+    }

Uh, this will cause a leak of all the allocated mp_ints.  
Think about going to the "cleanup" label instead.

        Attachment #430921 -
        Flags: review?(nelson) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        cleanup (obsolete)
        — Splinter Review
      

    


  

        Attachment #430921 -
        Attachment is obsolete: true

        Attachment #431045 -
        Flags: review?(nelson)

    
    

    
  
Comment on attachment 431045 [details] [diff] [review]
cleanup

I believe this change is correct, so I will give it r+, but I would
like to suggest that you consider a further improvement.
Rather than adding a new variable declaration in every function that
uses the macro MPINT_TO_SECITEM, I'd suggest you embed the 
declaration in that macro, e.g. something like this:


> #define MPINT_TO_SECITEM(mp, it, arena)                         \
>+ do { int mpintLen = mp_unsigned_octet_size(mp);                \
>+    if (mpintLen <= 0) {err = MP_RANGE; goto cleanup;}          \
>+    SECITEM_AllocItem(arena, (it), mpintLen);                   \
>     if ((it)->data == NULL) {err = MP_MEM; goto cleanup;}       \
>     err = mp_to_unsigned_octets(mp, (it)->data, (it)->len);     \
>     if (err < 0) goto cleanup; else err = MP_OKAY;              \
>+  } while (0)

        Attachment #431045 -
        Flags: review?(nelson) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        localizedSplinter Review
      

    


  

        Attachment #431045 -
        Attachment is obsolete: true

        Attachment #431069 -
        Flags: review+

        Attachment #431069 -
        Flags: superreview+
Target Milestone: --- → 3.13

    
    

    
  
Checking in dh.c;      new revision: 1.8.8.1; previous revision: 1.8
Checking in secmpi.h;  new revision: 1.5.132.1; previous revision: 1.5
Checking in mpi/mpi.c; new revision: 1.45.56.1; previous revision: 1.45

Thanks Timeless
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: