Last Comment Bug 352041 - oom [@ CERT_DecodeDERCrlWithFlags] "extended" tracked as NULL was dereferenced.
: oom [@ CERT_DecodeDERCrlWithFlags] "extended" tracked as NULL was dereferenced.
Status: RESOLVED FIXED
[CID 1026]
: coverity, crash
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.11.2
: All All
: P2 critical (vote)
: 3.11.4
Assigned To: Julien Pierre
:
:
Mentors:
http://bonsai.mozilla.org/cvsblame.cg...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-10 07:41 PDT by timeless
Modified: 2011-06-13 10:01 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Fix crash if extended is NULL . Also handle crl NULL case properly (858 bytes, patch)
2006-09-11 14:00 PDT, Julien Pierre
alvolkov.bgs: review+
nelson: superreview+
Details | Diff | Splinter Review

Description timeless 2006-09-10 07:41:41 PDT
 
Comment 1 Nelson Bolyard (seldom reads bugmail) 2006-09-10 12:39:21 PDT
In function CERT_DecodeDERCrlWithFlags, 
when called with option CRL_DECODE_ADOPT_HEAP_DER = 1
        and with option CRL_DECODE_KEEP_BAD_CRL   = 1
        and with option CRL_DECODE_DONT_COPY_DER  = 0,
and  called with narena == NULL,

if the attempt to allocate crl from the arena fails,
then at label loser, we dereference a NULL pointer, 
the variable "extended", in this code:

571  	loser:
572  	    if (options & CRL_DECODE_KEEP_BAD_CRL) {
573  	        extended->decodingError = PR_TRUE;     <<-- crash
574  	        crl->referenceCount = 1;
575  	        return(crl);
576  	    }
Comment 2 Julien Pierre 2006-09-11 14:00:23 PDT
Created attachment 237819 [details] [diff] [review]
Fix crash if extended is NULL . Also handle crl NULL case properly
Comment 3 Alexei Volkov 2006-09-11 14:44:20 PDT
Comment on attachment 237819 [details] [diff] [review]
Fix crash if extended is NULL . Also handle crl NULL case properly

r=alexei.volkov
Comment 4 Julien Pierre 2006-09-11 16:14:21 PDT
Checked in to the tip :

Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v  <--  crl.c
new revision: 1.54; previous revision: 1.53

And NSS_3_11_BRANCH :

Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v  <--  crl.c
new revision: 1.49.24.4; previous revision: 1.49.24.3
done

Note You need to log in before you can comment on or make changes to this bug.