Closed
Bug 486060
Opened 15 years ago
Closed 15 years ago
sec_asn1d_parse_leaf uses argument uninitialized by caller pbe_PK11AlgidToParam
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.3
People
(Reporter: nelson, Assigned: nelson)
Details
Attachments
(1 file)
1.01 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
This bug was reported in bug 447882 comment 13 by Rich Megginson <richm@stanfordalumni.org> Some code paths in pbe_PK11AlgidToParam call SEC_ASN1DecodeItem without first initializing (zeroing) the structure that will receive the output. This occasionally leads to a crash in sec_asn1d_parse_leaf due to a an uninitialized SECItem structure that has a non-null data pointer, which is not the result of the parser. Rich suggests the attached patch should fix it. I'd like to have steps to reproduce.
Attachment #370138 -
Flags: review?(rrelyea)
Comment 1•15 years ago
|
||
Comment on attachment 370138 [details] [diff] [review] Patch v1 for NSS Trunk (untested) r+ looks safe
Attachment #370138 -
Flags: review?(rrelyea) → review+
Comment 2•15 years ago
|
||
Note that this doesn't cause a crash, at least none that I saw. valgrind reports it as "Conditional jump or move depends on uninitialised value(s)" at line 1561 (which probably includes 1562 and 1563) in secasn1d.c: http://mxr.mozilla.org/mozilla/source/security/nss/lib/util/secasn1d.c#1561 1560 /* Strip leading zeroes when target is unsigned integer */ 1561 if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER */ 1562 item->len == 0 && /* MSB */ 1563 item->type == siUnsignedInteger) /* unsigned */
Assignee | ||
Updated•15 years ago
|
Summary: Crash in sec_asn1d_parse_leaf due to uninitialized variable in caller pbe_PK11AlgidToParam → sec_asn1d_parse_leaf uses argument uninitialized by caller pbe_PK11AlgidToParam
Assignee | ||
Comment 3•15 years ago
|
||
Checking in pk11wrap/pk11pbe.c; new revision: 1.23; previous revision: 1.22
Assignee: nobody → nelson
Status: NEW → RESOLVED
Closed: 15 years ago
Priority: -- → P3
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•