Closed Bug 352041 Opened 14 years ago Closed 14 years ago

oom [@ CERT_DecodeDERCrlWithFlags] "extended" tracked as NULL was dereferenced.

Categories

(NSS :: Libraries, defect, P2, critical)

3.11.2
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.11.4

People

(Reporter: timeless, Assigned: julien.pierre)

References

()

Details

(Keywords: coverity, crash, Whiteboard: [CID 1026])

Crash Data

Attachments

(1 file)

 
In function CERT_DecodeDERCrlWithFlags, 
when called with option CRL_DECODE_ADOPT_HEAP_DER = 1
        and with option CRL_DECODE_KEEP_BAD_CRL   = 1
        and with option CRL_DECODE_DONT_COPY_DER  = 0,
and  called with narena == NULL,

if the attempt to allocate crl from the arena fails,
then at label loser, we dereference a NULL pointer, 
the variable "extended", in this code:

571  	loser:
572  	    if (options & CRL_DECODE_KEEP_BAD_CRL) {
573  	        extended->decodingError = PR_TRUE;     <<-- crash
574  	        crl->referenceCount = 1;
575  	        return(crl);
576  	    }
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Whiteboard: [CID 1026]
Version: 3.11 → 3.11.2
Assignee: nobody → julien.pierre.bugs
Target Milestone: --- → 3.11.4
Attachment #237819 - Flags: superreview?(nelson)
Attachment #237819 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 237819 [details] [diff] [review]
Fix crash if extended is NULL . Also handle crl NULL case properly

r=alexei.volkov
Attachment #237819 - Flags: review?(alexei.volkov.bugs) → review+
Attachment #237819 - Flags: superreview?(nelson) → superreview+
Checked in to the tip :

Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v  <--  crl.c
new revision: 1.54; previous revision: 1.53

And NSS_3_11_BRANCH :

Checking in crl.c;
/cvsroot/mozilla/security/nss/lib/certdb/crl.c,v  <--  crl.c
new revision: 1.49.24.4; previous revision: 1.49.24.3
done
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ CERT_DecodeDERCrlWithFlags]
You need to log in before you can comment on or make changes to this bug.