Closed
Bug 345094
Opened 18 years ago
Closed 10 years ago
Assertion failure: srclen > 0, at nssb64d.c:565 (aborts [@ PL_Base64DecodeBuffer] from [@ nsCrypto::GenerateCRMFRequest] or [@ nsCrypto::ImportUserCertificates])
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
People
(Reporter: MatsPalmgren_bugz, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase)
Attachments
(6 files, 2 obsolete files)
Assertion failure: srclen > 0, at nssb64d.c:565 (aborts [@ PL_Base64DecodeBuffer] from [@ nsCrypto::GenerateCRMFRequest]) (bug 104103 could be related but I don't know) STEPS TO REPRODUCE 1. load testcase 2. push the button -> crash (abort through PR_ASSERT) PLATFORMS AND BUILDS TESTED Bug occurs in SeaMonkey trunk debug build.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
Reporter | ||
Comment 3•18 years ago
|
||
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/manager/ssl/src/nsCrypto.cpp&rev=1.68&root=/cvsroot&mark=1525#1515
Reporter | ||
Comment 4•18 years ago
|
||
Here's another one: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/manager/ssl/src/nsCrypto.cpp&rev=1.68&root=/cvsroot&mark=1889#1855
Reporter | ||
Updated•18 years ago
|
Summary: Assertion failure: srclen > 0, at nssb64d.c:565 (aborts [@ PL_Base64DecodeBuffer] from [@ nsCrypto::GenerateCRMFRequest]) → Assertion failure: srclen > 0, at nssb64d.c:565 (aborts [@ PL_Base64DecodeBuffer] from [@ nsCrypto::GenerateCRMFRequest] or [@ nsCrypto::ImportUserCertificates])
Comment 5•18 years ago
|
||
From the stack we can see, we call ATOB_ConvertAsciiToItem with parameter 2 (ascii) being the empty string (""). In my opinion NSS should allow this and fail gracefully. I filed NSS bug 346583
No longer depends on: 346583
Comment 6•17 years ago
|
||
This doesn't look like anything more than a bogus assertion, see my last comment in bug 346583 (and the comment about this not being a security bug applies for this one as well). Removing crash keyword as this doesn't crash release builds, but debug builds die due to the bad assertion.
Keywords: crash
Comment 7•17 years ago
|
||
Removing this from the security group, per bug 346583 comment 3 and this bug's comment 6.
Group: security
Updated•15 years ago
|
QA Contact: psm
Reporter | ||
Comment 10•14 years ago
|
||
1.9.2 DEBUG build on Linux64, running cross_fuzz w. seed 1092 file:///usr/local/moz/lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#1092
Reporter | ||
Comment 11•13 years ago
|
||
I've had this in my tree for a while now to avoid getting crashes when running fuzzers.
Attachment #521086 -
Flags: review?(kaie)
Comment 12•13 years ago
|
||
Comment on attachment 521086 [details] [diff] [review] fix? I'd do it the following way, see the comment on result values above the function: - PR_ASSERT(srclen > 0); - if (srclen == 0) - return dest; + if (srclen == 0) { + *output_destlen = 0; + return dest; + } This function returns a bin data, not a null-terminated string! Also note, that the file style is: leave tabs, tab size = 8 spaces
Attachment #521086 -
Flags: review?(kaie) → review-
Reporter | ||
Comment 13•13 years ago
|
||
The documentation above the function says:
/*
* Perform base64 decoding from an input buffer to an output buffer.
* The output buffer can be provided (as "dest"); you can also pass in
* a NULL and this function will allocate a buffer large enough for you,
* and return it. If you do provide the output buffer, you must also
* provide the maximum length of that buffer (as "maxdestlen").
* The actual decoded length of output will be returned to you in
* "output_destlen".
*
* Return value is NULL on error, the output buffer (allocated or provided)
* otherwise.
*/
> + return dest;
This would make the function fail if the caller didn't provide
a destination buffer, and succeed if it did.
I think this function should succeed given an empty input buffer,
so we need to allocate something to return when 'dest' is NULL.
Attachment #521279 -
Flags: review?(honzab.moz)
Reporter | ||
Updated•13 years ago
|
Attachment #521086 -
Attachment is obsolete: true
Comment 14•13 years ago
|
||
Comment on attachment 521279 [details] [diff] [review] fix, v2 Looks like PL_Base64EncodeBuffer has the same problem. If you plan on fixing it, please rather open a different bug. You are right. On success (even the result is zero-length) according to the comment we must return a non-null pointer (a "provided buffer") to not break the API. Not the best design IMHO. >diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c >+ dest = (unsigned char *) PR_Malloc(1); >+ } > return dest; Rather use output_buffer like in the previous patch as dest is actually treated as read-only? Can you please turn your test case to an automated chrome test? r=honzab.
Attachment #521279 -
Flags: review?(honzab.moz) → review+
Reporter | ||
Comment 15•13 years ago
|
||
We can just return the result from PR_Malloc. Added a crashtest.
Attachment #521279 -
Attachment is obsolete: true
Attachment #521366 -
Flags: review?(honzab.moz)
Reporter | ||
Comment 16•13 years ago
|
||
> Looks like PL_Base64EncodeBuffer has the same problem. NSSBase64_EncodeItem() is the only caller at the moment: http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/util/nssb64e.c#664 it handles "inItem->len == 0" at the top. Returning NULL for encoding "" seems wrong to me (it should succeed and return "" as the result), but I don't now this code library well. I'm not intending to fix PL_Base64EncodeBuffer or NSSBase64_EncodeItem. Please file new bugs as you see fit.
Comment 17•13 years ago
|
||
Comment on attachment 521366 [details] [diff] [review] fix, v3 + crashtest The code changes looks good. Thanks for the test. However, it is misplaced. security/nss/crashtests/ won't survive next nss merge to moz-central as it is a separate project with it's branch. The best place for the test is probably security/manager/ssl/crashtests/. r=honzab with moving the test.
Comment 18•13 years ago
|
||
Comment on attachment 521366 [details] [diff] [review] fix, v3 + crashtest See the previous comment please.
Attachment #521366 -
Flags: review?(honzab.moz) → review+
Reporter | ||
Comment 19•13 years ago
|
||
I moved the test to security/manager/ssl/crashtests/ and landed on Cedar: http://hg.mozilla.org/projects/cedar/rev/77ce8faa1906
Assignee: kaie → matspal
Flags: in-testsuite+
OS: Linux → All
Hardware: x86 → All
Whiteboard: fixed-in-cedar
Comment 20•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/77ce8faa1906
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-cedar
Target Milestone: --- → mozilla2.2
Comment 21•13 years ago
|
||
Reopening. This fix wasn't dealt with properly. You incorrectly assumed that this patch would be in PSM. But PSM is mozilla/security/manager This patch changes security/nss/lib/util/nssb64d.c which is NSS! Today I tried to land an updated snapshot of NSS. Despite my previous testing, I was surprised to see a crash failure. I backed out. Then glandium pointed me to this bug. The change to security/nss/lib/util/nssb64d.c must be reviewed by a NSS developer and added to NSS.
Assignee: matspal → nobody
Status: RESOLVED → REOPENED
Component: Security: PSM → Libraries
Product: Core → NSS
QA Contact: psm → libraries
Resolution: FIXED → ---
Target Milestone: mozilla5 → 3.12.10
Version: Trunk → 3.12.10
Comment 22•13 years ago
|
||
Please remember that any changes in directories: - nsprpub - dbm - security/coreconf - security/dbm - security/nss will get OVERWRITTEN whenever updating to newer NSPR/NSS snapshots. The only exception to land patches in mozilla-central into these directories are urgent build blockers, but they must be noted in directory security/patches and you must make sure you drive any fixes into NSPR/NSS upstream. Thanks
Comment 23•13 years ago
|
||
NSS portion that needs review.
Comment 24•13 years ago
|
||
Please see the discussion in the already existing dependent bug 346583, the proper fix should be done there.
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
Target Milestone: 3.12.10 → ---
Version: 3.12.10 → Trunk
Comment 25•13 years ago
|
||
Comment on attachment 529962 [details] [diff] [review] NSS portion of v3 r- see discussion in bug 346583
Attachment #529962 -
Flags: review-
Comment 26•13 years ago
|
||
I did a tryserver build with this patch backed out, and with the patch from bug 346583 applied. All tests were run, and all tests passed.
Comment 27•13 years ago
|
||
Wan-Teh and I have discussed that the right way to deal with this is to backout this patch, and we have r=bsmith
Comment 28•13 years ago
|
||
backed out http://hg.mozilla.org/mozilla-central/rev/a921de81bc45 You should be able to reland your tests once the dependent NSS bug has been fixed, and the corresponding NSS release delivered into mozilla-central. (Unfortunately it was too late for NSS 3.12.10, which will get released today.)
Reporter | ||
Comment 29•13 years ago
|
||
Will this be fixed in mozilla-central soon? This bug blocking meaningful use of Zalewski's fuzzers...
Comment 30•13 years ago
|
||
The NSS bug 346583 is fixed in NSS 3.12.11. mozilla-central is using NSS_3_13_BETA1, which also has the NSS bug fix. So I believe you can mark this bug fixed now.
Comment 31•10 years ago
|
||
Marking fixed based on Comment 30. In any case, these two functions were removed in Bug 1030963: https://hg.mozilla.org/mozilla-central/diff/68499003df5e/security/manager/ssl/src/nsCrypto.cpp#l1.2207 https://hg.mozilla.org/mozilla-central/diff/68499003df5e/security/manager/ssl/src/nsCrypto.cpp#l1.1839
Status: REOPENED → RESOLVED
Closed: 13 years ago → 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•