Closed Bug 387577 Opened 17 years ago Closed 17 years ago

Invalid read under ssl_Write called from nsSSLThread::Run

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 341127

People

(Reporter: bzbarsky, Assigned: KaiE)

Details

Valgrind says:

==5993== Invalid read of size 4
==5993==    at 0x7E822F5: rc4_wordconv (arcfour.c:548)
==5993==    by 0x7E8261C: RC4_Encrypt (arcfour.c:608)
==5993==    by 0x7E4C25D: RC4_Encrypt (loader.c:491)
==5993==    by 0x7E396B4: NSC_EncryptUpdate (pkcs11c.c:781)
==5993==    by 0x7D93FFB: PK11_CipherOp (pk11cxt.c:730)
==5993==    by 0x7D35586: ssl3_CompressMACEncryptRecord (ssl3con.c:1854)
==5993==    by 0x7D359A8: ssl3_SendRecord (ssl3con.c:1971)
==5993==    by 0x7D35DCD: ssl3_SendApplicationData (ssl3con.c:2087)
==5993==    by 0x7D4F820: ssl_SecureSend (sslsecur.c:1128)
==5993==    by 0x7D4F8F5: ssl_SecureWrite (sslsecur.c:1145)
==5993==    by 0x7D5565F: ssl_Write (sslsock.c:1455)
==5993==    by 0x7C71D74: nsSSLThread::Run() (nsSSLThread.cpp:1028)
==5993==  Address 0x78EDC80 is 720 bytes inside a block of size 722 alloc'd
==5993==    at 0x40046C6: malloc (vg_replace_malloc.c:149)
==5993==    by 0x4107ED1: malloc (nsTraceMalloc.c:1501)
==5993==    by 0x470CAA1: PR_Malloc (prmem.c:467)
==5993==    by 0x469ECBD: NS_Alloc_P (nsMemoryImpl.cpp:281)
==5993==    by 0x7C8CB1D: nsMemory::Alloc(unsigned) (nsMemory.h:68)
==5993==    by 0x7C8F8DC: nsSSLSocketThreadData::ensure_buffer_size(int) (nsNSSIOLayer.cpp:175)
==5993==    by 0x7C71978: nsSSLThread::requestWrite(nsNSSSocketInfo*, void const*, int, unsigned) (nsSSLThread.cpp:868)
==5993==    by 0x7C9259F: PSMSend(PRFileDesc*, void const*, int, int, unsigned) (nsNSSIOLayer.cpp:1224)
==5993==    by 0x7C925FC: nsSSLIOLayerWrite(PRFileDesc*, void const*, int) (nsNSSIOLayer.cpp:1236)
==5993==    by 0x47028F2: PR_Write (priometh.c:146)
==5993==    by 0x526801B: nsSocketOutputStream::Write(char const*, unsigned, unsigned*) (nsSocketTransport2.cpp:564)
==5993==    by 0x52EF0A3: nsHttpConnection::OnReadSegment(char const*, unsigned, unsigned*) (nsHttpConnection.cpp:523)
==5993==
Flags: blocking1.9?
I'm sure there should be a dup of this somewhere. IIRC RC4 does full 4 byte reads beyond the given buffer, but masks off the unwanted results for performance reasons.

bob
yeah, it's a dup.

Is that supposed to be a stack?  
Am I supposed to believe that malloc called some code in a malloc'ed 
block, which called nsSSLThread::Run() which called ssl_Write ?

Anyway, that's mostly irrelevant to the subject of the bug, which is a dup.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
> Is that supposed to be a stack?  

Two stacks, yes, as output by valgrind.  The top stack is where the invalid read happened.  The bottom stack is where the relevant memory chunk was allocated.  That's pretty clear if you read the words around the function names, I think...
OH, two separate stacks.  I see.  That makes a lot more sense, 
but wasn't at all obvious to me. :-/  Thanks for clearing that up.
The call stack referred to arcfour.c:548, rev. 1.17:

                /* If the amount of remaining input is greater than the amount
                 * bytes pulled from the current input word, need to do another
                 * word load.  What's left in inWord will be consumed in step 3.
                 */
                if (inputLen > WORDSIZE - inOffset)
548                     inWord |= *pInWord RSH bufShift; /* UMR?  See above. */
        } else {
You need to log in before you can comment on or make changes to this bug.