User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:22.214.171.124) Gecko/2009042316 Firefox/3.0.10 Build Identifier: current checkout from http://hg.mozilla.org/mozilla-central/ Function cert_GetDNSPatternsFromGeneralNames in security/nss/lib/certdb/certdb.c allocates a buffer 'cn' and writes one byte past the end of the buffer (the overflowing write is always zero). The relevant code is pasted below. cn = (char *)PORT_ArenaAlloc(nickNames->arena, currentInput->name.other.len + 1); if (!cn) return SECFailure; PORT_Memcpy(cn, currentInput->name.other.data, currentInput->name.other.len); cn[currentInput->name.other.len + 1] = 0; Reproducible: Always
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows Vista → All
Priority: -- → P2
Hardware: x86 → All
Version: unspecified → 3.12
Although the stars have to line up just right, we've seen someone figure out an exploit for a heap buffer overflow of a single null byte in the past. I'm marking this as a potential security bug just in case. The only caller of this function seems to be CERT_GetValidDNSPatternsFromCert, and I couldn't find any callers of that API in mozilla client code. Is this unused code?
Dan, apparently it is unused code, at least unused by Mozilla. :( It was added (NSS bug 400917) expressly for use by PSM (bug 238142), but it seems that PSM never used it, and wrote its own code for this purpose instead (bug 398718). :( BTW, I'd like to know more about the exploitable 1-byte NULL heap buffer oflo!
Assignee: nobody → nelson
Target Milestone: --- → 3.12.5
(In reply to comment #2) > BTW, I'd like to know more about the exploitable 1-byte NULL heap buffer oflo! bug 299209 comment 20
I remembered the reporter but got confused about which bug. Finally found the right one: bug 300936 comment 7 and following
Created attachment 378089 [details] [diff] [review] Patch v1 for NSS Trunk This is the obvious patch. It also fixes one other bug revealed by a warning. Julien, please review.
Attachment #378089 - Flags: review?(julien.pierre.boogz)
Attachment #378089 - Flags: review?(julien.pierre.boogz) → review+
Thanks for the prompt review. Checking in certdb.c; new revision: 1.101; previous revision: 1.100
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Dan, given that this is dead code in Firefox, I think we can open this up.
Target Milestone: 3.12.5 → 3.12.4
You need to log in before you can comment on or make changes to this bug.