oom [@ CERT_DecodeDERCrlWithFlags] "extended" tracked as NULL was dereferenced.

RESOLVED FIXED in 3.11.4

Status

NSS
Libraries
P2
critical
RESOLVED FIXED
11 years ago
6 years ago

People

(Reporter: timeless, Assigned: Julien Pierre)

Tracking

({coverity, crash})

3.11.2
3.11.4
coverity, crash

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [CID 1026], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
 
In function CERT_DecodeDERCrlWithFlags, 
when called with option CRL_DECODE_ADOPT_HEAP_DER = 1
        and with option CRL_DECODE_KEEP_BAD_CRL   = 1
        and with option CRL_DECODE_DONT_COPY_DER  = 0,
and  called with narena == NULL,

if the attempt to allocate crl from the arena fails,
then at label loser, we dereference a NULL pointer, 
the variable "extended", in this code:

571  	loser:
572  	    if (options & CRL_DECODE_KEEP_BAD_CRL) {
573  	        extended->decodingError = PR_TRUE;     <<-- crash
574  	        crl->referenceCount = 1;
575  	        return(crl);
576  	    }
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Whiteboard: [CID 1026]
Version: 3.11 → 3.11.2
(Assignee)

Updated

11 years ago
Assignee: nobody → julien.pierre.bugs
(Assignee)

Updated

11 years ago
Target Milestone: --- → 3.11.4
(Assignee)

Comment 2

11 years ago
Created attachment 237819 [details] [diff] [review]
Fix crash if extended is NULL . Also handle crl NULL case properly
Attachment #237819 - Flags: superreview?(nelson)
Attachment #237819 - Flags: review?(alexei.volkov.bugs)

Comment 3

11 years ago
Comment on attachment 237819 [details] [diff] [review]
Fix crash if extended is NULL . Also handle crl NULL case properly

r=alexei.volkov
Attachment #237819 - Flags: review?(alexei.volkov.bugs) → review+
Attachment #237819 - Flags: superreview?(nelson) → superreview+
(Assignee)

Comment 4

11 years ago
Checked in to the tip :

Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v  <--  crl.c
new revision: 1.54; previous revision: 1.53

And NSS_3_11_BRANCH :

Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v  <--  crl.c
new revision: 1.49.24.4; previous revision: 1.49.24.3
done
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ CERT_DecodeDERCrlWithFlags]
You need to log in before you can comment on or make changes to this bug.