Closed
Bug 351580
Opened 18 years ago
Closed 16 years ago
Possible null pointer dereferences in |nsCrypto::GenerateCRMFRequest|
Categories
(Core :: Security: PSM, defect, P2)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla1.9beta5
People
(Reporter: kherron+mozilla, Assigned: mayhemer)
References
(Blocks 1 open bug, )
Details
(Keywords: coverity)
Attachments
(1 file)
6.23 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
This is coverity ID 1016. Please see the sample URL. |nsCrypto::GenerateCRMFRequest| makes several calls to |JS_ValueToString| without checking the return value for NULL. |JS_ValueToString| calls |js_ValueToString| which may return NULL in some circumstances. Coverity flagged five different call sites between lines 1475-1505.
afaik this code also runs entirely afoul of js gc rooting, each string appears to be temporarily requested w/o being rooted and then the only root reference to it is forgotten and somehow this code expects the char* pointers from it to survive long enough while it proceeds to repeat this pattern and risk gc's numerous times.
Updated•17 years ago
|
QA Contact: psm
Updated•17 years ago
|
Flags: blocking1.9?
Comment 2•17 years ago
|
||
+ing - comment 1 sounds a little scary. Kai you have cycles for this?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Comment 3•17 years ago
|
||
I could come up with a patch for comment 0. Regarding comment 1, I don't understand the term "js gc rooting", so I don't know what to do to fix it. Help, pointers, or a more detailed explanation definitively welcome. Timeless, could you elaborate, what are the variable names you are referring to? Which variable is the root reference that is being forgotton?
Comment 4•17 years ago
|
||
timeless is referring to the fact that in an exact GC model, you must protect all JS values you use in C against GC explicitly because the JS collector doesn't know about them. See http://developer.mozilla.org/en/docs/SpiderMonkey_Garbage_Collection_Tips as a reference.
Assignee | ||
Comment 5•16 years ago
|
||
This is fixed according to G_C_Types documentation. I also added requests around callback evaluation and root removal in dtor. CHECK_REQUEST assertion was failing.
Attachment #306343 -
Flags: review?(mrbkap)
Assignee | ||
Updated•16 years ago
|
Assignee: kengert → honzab
Assignee | ||
Updated•16 years ago
|
Status: NEW → ASSIGNED
Updated•16 years ago
|
Attachment #306343 -
Flags: review?(mrbkap) → review+
Updated•16 years ago
|
Attachment #306343 -
Flags: approval1.9?
Updated•16 years ago
|
Flags: tracking1.9+ → blocking1.9+
Priority: P3 → P2
Updated•16 years ago
|
Keywords: checkin-needed
Comment 6•16 years ago
|
||
Comment on attachment 306343 [details] [diff] [review] Fixed !NULL checks + GC rooting, v1 This is a blocker. No need for approval.
Attachment #306343 -
Flags: approval1.9?
Comment 7•16 years ago
|
||
Checking in security/manager/ssl/src/nsCrypto.cpp; /cvsroot/mozilla/security/manager/ssl/src/nsCrypto.cpp,v <-- nsCrypto.cpp new revision: 1.78; previous revision: 1.77 done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9
Updated•16 years ago
|
Target Milestone: mozilla1.9 → mozilla1.9beta5
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•