Closed Bug 538939 Opened 15 years ago Closed 15 years ago

Misuse of PR_GetErrorTextLength when allocating error message buffers

Categories

(NSS :: Tools, defect, P2)

3.12.5
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.12.7

People

(Reporter: glandium, Assigned: glandium)

Details

Attachments

(1 file)

Attached patch patchSplinter Review
This was noticed while playing around with modutil, adding a module which library couldn't dlload()ed, and modutil crashed badly: *** glibc detected *** ./modutil: free(): invalid next size (fast): 0x0000000001ddfb50 *** (leaving out the backtrace and memory map) The problem is that none of the PR_Malloc() calls that depend on PR_GetErrorTextLength in NSS are safe: PR_GetErrorTextLength returns the text length, which means it doesn't include space for the terminating NULL character. PR_GetErrorText, itself, copies length + 1 characters, so the buffers are under-alloc'ed.
Attachment #421019 - Attachment is patch: true
Attachment #421019 - Attachment mime type: application/octet-stream → text/plain
Attachment #421019 - Flags: review?(wtc)
Comment on attachment 421019 [details] [diff] [review] patch r=wtc. Thanks for the patch. See my comment in bug 538940 comment 1 for the background of the off-by-one problem of PR_GetErrorTextLength. In short, the current implementation of PR_GetErrorTextLength doesn't match the originally intended specification. After I have verified that the current implementation is self-consistent, I'll change the documentation of PR_GetErrorTextLength to reflect the current implementation.
Attachment #421019 - Flags: review?(wtc) → review+
Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Keywords: checkin-needed
Bug 538939: Fix allocation of error message buffers for PR_GetErrorTextLength Patch contributed by Mike Hommey <mh+mozilla@glandium.org>, r=wtc Checking in modutil/pk11.c; new revision: 1.30; previous revision: 1.29 Checking in signtool/javascript.c; new revision: 1.7; previous revision: 1.6 Checking in signtool/zip.c; new revision: 1.6; previous revision: 1.5
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Keywords: checkin-needed
Priority: -- → P2
Target Milestone: --- → 3.12.7
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: