Closed
Bug 351580
Opened 18 years ago
Closed 16 years ago
Possible null pointer dereferences in |nsCrypto::GenerateCRMFRequest|
Categories
(Core :: Security: PSM, defect, P2)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla1.9beta5
People
(Reporter: kherron+mozilla, Assigned: mayhemer)
References
(Blocks 1 open bug, )
Details
(Keywords: coverity)
Attachments
(1 file)
|
6.23 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
This is coverity ID 1016. Please see the sample URL. |nsCrypto::GenerateCRMFRequest| makes several calls to |JS_ValueToString| without checking the return value for NULL. |JS_ValueToString| calls |js_ValueToString| which may return NULL in some circumstances. Coverity flagged five different call sites between lines 1475-1505.
afaik this code also runs entirely afoul of js gc rooting, each string appears to be temporarily requested w/o being rooted and then the only root reference to it is forgotten and somehow this code expects the char* pointers from it to survive long enough while it proceeds to repeat this pattern and risk gc's numerous times.
|
||
Updated•17 years ago
|
QA Contact: psm
|
||
Updated•17 years ago
|
Flags: blocking1.9?
|
||
Comment 2•17 years ago
|
||
+ing - comment 1 sounds a little scary. Kai you have cycles for this?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
|
||
Comment 3•17 years ago
|
||
I could come up with a patch for comment 0. Regarding comment 1, I don't understand the term "js gc rooting", so I don't know what to do to fix it. Help, pointers, or a more detailed explanation definitively welcome. Timeless, could you elaborate, what are the variable names you are referring to? Which variable is the root reference that is being forgotton?
|
||
Comment 4•17 years ago
|
||
timeless is referring to the fact that in an exact GC model, you must protect all JS values you use in C against GC explicitly because the JS collector doesn't know about them. See http://developer.mozilla.org/en/docs/SpiderMonkey_Garbage_Collection_Tips as a reference.
|
Assignee | |
Comment 5•16 years ago
|
||
This is fixed according to G_C_Types documentation. I also added requests around callback evaluation and root removal in dtor. CHECK_REQUEST assertion was failing.
Attachment #306343 -
Flags: review?(mrbkap)
|
|
Assignee | |
Updated•16 years ago
|
Assignee: kengert → honzab
|
|
Assignee | |
Updated•16 years ago
|
Status: NEW → ASSIGNED
|
|
||
Updated•16 years ago
|
Attachment #306343 -
Flags: review?(mrbkap) → review+
|
||
Updated•16 years ago
|
Attachment #306343 -
Flags: approval1.9?
|
|
||
Updated•16 years ago
|
Flags: tracking1.9+ → blocking1.9+
Priority: P3 → P2
|
||
Updated•16 years ago
|
Keywords: checkin-needed
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 306343 [details] [diff] [review] Fixed !NULL checks + GC rooting, v1 This is a blocker. No need for approval.
Attachment #306343 -
Flags: approval1.9?
|
|
||
Comment 7•16 years ago
|
||
Checking in security/manager/ssl/src/nsCrypto.cpp; /cvsroot/mozilla/security/manager/ssl/src/nsCrypto.cpp,v <-- nsCrypto.cpp new revision: 1.78; previous revision: 1.77 done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9
|
|
||
Updated•16 years ago
|
Target Milestone: mozilla1.9 → mozilla1.9beta5
|
||
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•