1 byte overflow in cert_GetDNSPatternsFromGeneralNames

RESOLVED FIXED in 3.12.4

Status

P2
normal
RESOLVED FIXED
10 years ago
8 years ago

People

(Reporter: bhackett, Assigned: nelson)

Tracking

3.12
3.12.4

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:investigate])

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Build Identifier: current checkout from http://hg.mozilla.org/mozilla-central/

Function cert_GetDNSPatternsFromGeneralNames in security/nss/lib/certdb/certdb.c allocates a buffer 'cn' and writes one byte past the end of the buffer (the overflowing write is always zero).

The relevant code is pasted below.

            cn = (char *)PORT_ArenaAlloc(nickNames->arena, 
                                         currentInput->name.other.len + 1);
            if (!cn)
              return SECFailure;
            PORT_Memcpy(cn, currentInput->name.other.data, 
                            currentInput->name.other.len);
            cn[currentInput->name.other.len + 1] = 0;


Reproducible: Always
(Assignee)

Updated

10 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows Vista → All
Priority: -- → P2
Hardware: x86 → All
Version: unspecified → 3.12
Although the stars have to line up just right, we've seen someone figure out an exploit for a heap buffer overflow of a single null byte in the past. I'm marking this as a potential security bug just in case.

The only caller of this function seems to be CERT_GetValidDNSPatternsFromCert, and I couldn't find any callers of that API in mozilla client code. Is this unused code?
Group: core-security
Whiteboard: [sg:investigate]
Dan, apparently it is unused code, at least unused by Mozilla. :(
It was added (NSS bug 400917) expressly for use by PSM (bug 238142), but 
it seems that PSM never used it, and wrote its own code for this purpose
instead (bug 398718).  :(

BTW, I'd like to know more about the exploitable 1-byte NULL heap buffer oflo!
Assignee: nobody → nelson
Target Milestone: --- → 3.12.5
(In reply to comment #2)
> BTW, I'd like to know more about the exploitable 1-byte NULL heap buffer oflo!

bug 299209 comment 20
I remembered the reporter but got confused about which bug. Finally found the right one: bug 300936 comment 7 and following
Created attachment 378089 [details] [diff] [review]
Patch v1 for NSS Trunk

This is the obvious patch.  
It also fixes one other bug revealed by a warning.
Julien, please review.
Attachment #378089 - Flags: review?(julien.pierre.boogz)

Updated

10 years ago
Attachment #378089 - Attachment is patch: true

Updated

10 years ago
Attachment #378089 - Flags: review?(julien.pierre.boogz) → review+
Thanks for the prompt review.
Checking in certdb.c; new revision: 1.101; previous revision: 1.100
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Dan, given that this is dead code in Firefox, I think we can open this up.
(Assignee)

Updated

10 years ago
Target Milestone: 3.12.5 → 3.12.4
Group: core-security
You need to log in before you can comment on or make changes to this bug.