Last Comment Bug 353763 - klocwork Null ptr dereferences in pk11cert.c
: klocwork Null ptr dereferences in pk11cert.c
Status: RESOLVED FIXED
: klocwork
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P2 normal (vote)
: 3.12
Assigned To: Alexei Volkov
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-21 23:37 PDT by Nelson Bolyard (seldom reads bugmail)
Modified: 2006-10-30 16:32 PST (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
fix (6.40 KB, patch)
2006-10-25 17:00 PDT, Alexei Volkov
nelson: review+
Details | Diff | Review

Description Nelson Bolyard (seldom reads bugmail) 2006-09-21 23:37:00 PDT
All these klocwork IDs are in 
File nss/lib/pk11wrap/pk11cert.c

Klocwork ID 88363
Function PK11_FindCertsFromNickname

Pointer 'certList' returned from call to function 'CERT_NewCertList' at 
line 739 may be NULL and may be dereferenced by passing argument 1 to 
function 'CERT_AddCertToListSorted' at line 745.

741	    CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c); 
742	    /* c may be invalid after this, don't reference it */ 
743	    if (certCert) { 
744	        /* CERT_AddCertToListSorted adopts certCert  */ 
745		CERT_AddCertToListSorted(certList, certCert, 
746			             CERT_SortCBValidity, &now);
Comment 1 Nelson Bolyard (seldom reads bugmail) 2006-09-22 00:37:30 PDT
ID:       92197
Function: PK11_FindCertFromNickname
Location: nss/lib/pk11wrap/pk11cert.c : 543

Suspicious dereference of pointer 'nickCopy' by passing argument 1 to 
function 'strchr' at line 543 before NULL check at line 633
(Should be a null check between lines 542 and 543)

542	    nickCopy = PORT_Strdup(nickname); 
543	    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) { 

----

ID:       92198
Function: PK11_FindCertsFromNickname
Location: nss/lib/pk11wrap/pk11cert.c : 654

Suspicious dereference of pointer 'nickCopy' by passing argument 1 to 
function 'strchr' at line 654 before NULL check at line 678
(Should be a null check between lines 653 and 654)

653	    nickCopy = PORT_Strdup(nickname); 
654	    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) { 

----

ID:       88363
Location: nss/lib/pk11wrap/pk11cert.c : 745
Function: PK11_FindCertsFromNickname

Pointer 'certList' returned from call to function 'CERT_NewCertList' at 
line 739 may be NULL and may be dereferenced by passing argument 1 to 
function 'CERT_AddCertToListSorted' at line 745.


741	    CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c); 
742	    /* c may be invalid after this, don't reference it */ 
743	    if (certCert) { 
744	        /* CERT_AddCertToListSorted adopts certCert  */ 
745		CERT_AddCertToListSorted(certList, certCert, 
746			CERT_SortCBValidity, &now); 

----

ID:       92199
Function: PK11_ImportCert
Location: nss/lib/pk11wrap/pk11cert.c : 840

Pointer 'c' returned from call to function 'STAN_GetNSSCertificate' at 
line 837 may be NULL and will be dereferenced at line 840.

834	    if (cert->nssCertificate) { 
835		c = cert->nssCertificate; 
836	    } else { 
837		c = STAN_GetNSSCertificate(cert); 
838	    } 
840	    if (c->object.cryptoContext) { 

----

ID:       88377
Function: PK11_NumberCertsForCertSubject
Location: nss/lib/pk11wrap/pk11cert.c : 1675

Pointer 'list' returned from call to function 'PK11_GetAllTokens' at 
line 1669 may be NULL and will be dereferenced at line 1675.

1669	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, 
1670							PR_FALSE,PR_TRUE,NULL); 
1671	PK11SlotListElement *le; 
1675	for (le = list->head; le; le = le->next) { 

----- 

ID:       88391
Function: PK11_TraverseCertsForSubject
Location: nss/lib/pk11wrap/pk11cert.c : 1701

Pointer 'list' returned from call to function 'PK11_GetAllTokens' at 
line 1696 may be NULL and will be dereferenced at line 1701.

1696		PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, 
1697						PR_FALSE,PR_TRUE,NULL); 
1698		PK11SlotListElement *le; 
1701		for (le = list->head; le; le = le->next) { 

------

ID:       88382
Function: PK11_FindBestKEAMatch
Location: nss/lib/pk11wrap/pk11cert.c : 2141

Pointer 'keaList' returned from call to function 'PK11_GetAllTokens' at 
line 2134 may be NULL and will be dereferenced at line 2141.

2134	    PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE, 
2135						PR_FALSE,PR_TRUE,wincx); 
2136	    PK11SlotListElement *le; 
2141	    for (le = keaList->head; le; le = le->next) { 

----

ID:       92200
Function: listCertsCallback
Location: nss/lib/pk11wrap/pk11cert.c : 2412

Pointer 'c' returned from call to function 'STAN_GetNSSCertificate' at 
line 2410 may be NULL and will be dereferenced at line 2412.

2410	    NSSCertificate *c = STAN_GetNSSCertificate(cert); 
2411	 
2412	    instances = nssPKIObject_GetInstances(&c->object); 
Comment 2 Alexei Volkov 2006-10-25 17:00:29 PDT
Created attachment 243544 [details] [diff] [review]
fix
Comment 3 Nelson Bolyard (seldom reads bugmail) 2006-10-25 18:16:54 PDT
Comment on attachment 243544 [details] [diff] [review]
fix

r=nelson
Comment 4 Alexei Volkov 2006-10-30 16:32:09 PST
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11cert.c,v  <--  pk11cert.c
new revision: 1.155; previous revision: 1.154

Note You need to log in before you can comment on or make changes to this bug.