Closed
Bug 387577
Opened 17 years ago
Closed 17 years ago
Invalid read under ssl_Write called from nsSSLThread::Run
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 341127
People
(Reporter: bzbarsky, Assigned: KaiE)
Details
Valgrind says: ==5993== Invalid read of size 4 ==5993== at 0x7E822F5: rc4_wordconv (arcfour.c:548) ==5993== by 0x7E8261C: RC4_Encrypt (arcfour.c:608) ==5993== by 0x7E4C25D: RC4_Encrypt (loader.c:491) ==5993== by 0x7E396B4: NSC_EncryptUpdate (pkcs11c.c:781) ==5993== by 0x7D93FFB: PK11_CipherOp (pk11cxt.c:730) ==5993== by 0x7D35586: ssl3_CompressMACEncryptRecord (ssl3con.c:1854) ==5993== by 0x7D359A8: ssl3_SendRecord (ssl3con.c:1971) ==5993== by 0x7D35DCD: ssl3_SendApplicationData (ssl3con.c:2087) ==5993== by 0x7D4F820: ssl_SecureSend (sslsecur.c:1128) ==5993== by 0x7D4F8F5: ssl_SecureWrite (sslsecur.c:1145) ==5993== by 0x7D5565F: ssl_Write (sslsock.c:1455) ==5993== by 0x7C71D74: nsSSLThread::Run() (nsSSLThread.cpp:1028) ==5993== Address 0x78EDC80 is 720 bytes inside a block of size 722 alloc'd ==5993== at 0x40046C6: malloc (vg_replace_malloc.c:149) ==5993== by 0x4107ED1: malloc (nsTraceMalloc.c:1501) ==5993== by 0x470CAA1: PR_Malloc (prmem.c:467) ==5993== by 0x469ECBD: NS_Alloc_P (nsMemoryImpl.cpp:281) ==5993== by 0x7C8CB1D: nsMemory::Alloc(unsigned) (nsMemory.h:68) ==5993== by 0x7C8F8DC: nsSSLSocketThreadData::ensure_buffer_size(int) (nsNSSIOLayer.cpp:175) ==5993== by 0x7C71978: nsSSLThread::requestWrite(nsNSSSocketInfo*, void const*, int, unsigned) (nsSSLThread.cpp:868) ==5993== by 0x7C9259F: PSMSend(PRFileDesc*, void const*, int, int, unsigned) (nsNSSIOLayer.cpp:1224) ==5993== by 0x7C925FC: nsSSLIOLayerWrite(PRFileDesc*, void const*, int) (nsNSSIOLayer.cpp:1236) ==5993== by 0x47028F2: PR_Write (priometh.c:146) ==5993== by 0x526801B: nsSocketOutputStream::Write(char const*, unsigned, unsigned*) (nsSocketTransport2.cpp:564) ==5993== by 0x52EF0A3: nsHttpConnection::OnReadSegment(char const*, unsigned, unsigned*) (nsHttpConnection.cpp:523) ==5993==
Reporter | ||
Updated•17 years ago
|
Flags: blocking1.9?
Comment 1•17 years ago
|
||
I'm sure there should be a dup of this somewhere. IIRC RC4 does full 4 byte reads beyond the given buffer, but masks off the unwanted results for performance reasons. bob
Comment 2•17 years ago
|
||
yeah, it's a dup. Is that supposed to be a stack? Am I supposed to believe that malloc called some code in a malloc'ed block, which called nsSSLThread::Run() which called ssl_Write ? Anyway, that's mostly irrelevant to the subject of the bug, which is a dup.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•17 years ago
|
||
> Is that supposed to be a stack?
Two stacks, yes, as output by valgrind. The top stack is where the invalid read happened. The bottom stack is where the relevant memory chunk was allocated. That's pretty clear if you read the words around the function names, I think...
Comment 4•17 years ago
|
||
OH, two separate stacks. I see. That makes a lot more sense, but wasn't at all obvious to me. :-/ Thanks for clearing that up.
Comment 5•13 years ago
|
||
The call stack referred to arcfour.c:548, rev. 1.17: /* If the amount of remaining input is greater than the amount * bytes pulled from the current input word, need to do another * word load. What's left in inWord will be consumed in step 3. */ if (inputLen > WORDSIZE - inOffset) 548 inWord |= *pInWord RSH bufShift; /* UMR? See above. */ } else {
You need to log in
before you can comment on or make changes to this bug.
Description
•