Closed
Bug 352932
Opened 18 years ago
Closed 7 years ago
common_DecodeDerSig should use SEC_QuickDERDecodeItem
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 944179
People
(Reporter: wtc, Unassigned)
Details
common_DecodeDerSig uses SEC_ASN1DecodeItem, so it's not easy to detect if there is extra input in the buffer. common_DecodeDerSig should use SEC_QuickDERDecodeItem, or should use DER_Lengths to check if there is extra input in the buffer. Julien, do you know why we didn't change common_DecodeDerSig to use the QuickDER decoder?
Comment 1•18 years ago
|
||
Wan-Teh, For one thing, this function didn't exist on the NSS_3_6_BRANCH that I reviewed when I created the QuickDER decoder. There seems to have been a DSAU_DecodeDerSig function, which was also skipped in bug 178895. I'm not sure why because the dsautil.c source file is never mentioned in the bug. One the possible reasons why the API was skipped is that there is no arena, and QuickDER requires one. However, it appears the decoded object gets reencoded and discarded, so this shouldn't actually be an issue.
Comment 2•14 years ago
|
||
Related to or inspired by CVE-2006-4340 : unchecked garbage in PKCS v1.5 blocks
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•