Closed
Bug 493405
Opened 15 years ago
Closed 15 years ago
1 byte overflow in cert_GetDNSPatternsFromGeneralNames
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.4
People
(Reporter: bhackett1024, Assigned: nelson)
Details
(Whiteboard: [sg:investigate])
Attachments
(1 file)
1.67 KB,
patch
|
julien.pierre
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Build Identifier: current checkout from http://hg.mozilla.org/mozilla-central/ Function cert_GetDNSPatternsFromGeneralNames in security/nss/lib/certdb/certdb.c allocates a buffer 'cn' and writes one byte past the end of the buffer (the overflowing write is always zero). The relevant code is pasted below. cn = (char *)PORT_ArenaAlloc(nickNames->arena, currentInput->name.other.len + 1); if (!cn) return SECFailure; PORT_Memcpy(cn, currentInput->name.other.data, currentInput->name.other.len); cn[currentInput->name.other.len + 1] = 0; Reproducible: Always
Assignee | ||
Updated•15 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows Vista → All
Priority: -- → P2
Hardware: x86 → All
Version: unspecified → 3.12
Comment 1•15 years ago
|
||
Although the stars have to line up just right, we've seen someone figure out an exploit for a heap buffer overflow of a single null byte in the past. I'm marking this as a potential security bug just in case. The only caller of this function seems to be CERT_GetValidDNSPatternsFromCert, and I couldn't find any callers of that API in mozilla client code. Is this unused code?
Group: core-security
Whiteboard: [sg:investigate]
Assignee | ||
Comment 2•15 years ago
|
||
Dan, apparently it is unused code, at least unused by Mozilla. :( It was added (NSS bug 400917) expressly for use by PSM (bug 238142), but it seems that PSM never used it, and wrote its own code for this purpose instead (bug 398718). :( BTW, I'd like to know more about the exploitable 1-byte NULL heap buffer oflo!
Assignee: nobody → nelson
Target Milestone: --- → 3.12.5
Comment 3•15 years ago
|
||
(In reply to comment #2) > BTW, I'd like to know more about the exploitable 1-byte NULL heap buffer oflo! bug 299209 comment 20
Comment 4•15 years ago
|
||
I remembered the reporter but got confused about which bug. Finally found the right one: bug 300936 comment 7 and following
Assignee | ||
Comment 5•15 years ago
|
||
This is the obvious patch. It also fixes one other bug revealed by a warning. Julien, please review.
Attachment #378089 -
Flags: review?(julien.pierre.boogz)
Updated•15 years ago
|
Attachment #378089 -
Attachment is patch: true
Updated•15 years ago
|
Attachment #378089 -
Flags: review?(julien.pierre.boogz) → review+
Assignee | ||
Comment 6•15 years ago
|
||
Thanks for the prompt review. Checking in certdb.c; new revision: 1.101; previous revision: 1.100
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•15 years ago
|
||
Dan, given that this is dead code in Firefox, I think we can open this up.
Assignee | ||
Updated•15 years ago
|
Target Milestone: 3.12.5 → 3.12.4
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•