Closed Bug 556497 Opened 14 years ago Closed 14 years ago

ServerSessionIDLookup tries very hard to crash if !gotLock or pcce->sessionIDLength != psce->sessionIDLength

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.7

People

(Reporter: timeless, Assigned: alvolkov.bgs)

References

(
URL
)

Details

(Keywords: coverity, crash)

Attachments

(1 file)

Fix the crash in session search function(integrated)
737 bytes, patch
nelson
: review+
Details | Diff | Splinter Review 
769 ServerSessionIDLookup(const PRIPv6Addr *addr,
775     sidCacheEntry * psce;

792     if (psce) {
793         if (psce->version >= SSL_LIBRARY_VERSION_3_0) {
794             if ((cndx = psce->u.ssl3.certIndex) != -1) {
797                 if (gotLock) {
801                     if ((pcce->sessionIDLength == psce->sessionIDLength) &&
805                     } else {
810                         psce = 0;
814                 } else {
818                     PORT_Assert(!("Didn't get cert Cache Lock!"));
819                     psce = 0;
823             if ((cndx = psce->u.ssl3.srvNameIndex) != -1) {
Assignee: nobody → alexei.volkov.bugs
Could the following stack be related to this bug:


-----------------  lwp# 550 / thread# 550  --------------------
 feecc95c _lwp_kill (6, 0, fef35020, feeac1f8, ffffffff, 6) + 8
 fee41a2c abort    (7400, 1, 7c00, eea98, fef33418, 0) + 110
 fea85c48 __1cCosFabort6Fi_v_ (1, 0, fec1b5b4, febe6000, 7dd4, 7c00) + 58
 feb1626c __1cHVMErrorOreport_and_die6M_v_ (0, fec43ca0, fec3d3b4, 1, fea8a34c, fec3d3b4) + c84
 fe678f1c JVM_handle_solaris_signal (b, 14dae3d0, 14dae118, 8000, fec3c360, 3ec7708) + ab4
 feec8d94 __sighndlr (b, 14dae3d0, 14dae118, fe678430, 0, 1) + c
 feebd440 call_user_handler (b, ffbffeff, c, 0, 162b6200, 14dae118) + 3b8
 feebd614 sigacthandler (b, 14dae3d0, 14dae118, 0, 162b6200, 0) + 4c
 --- called from signal handler with signal 11 (SIGSEGV) ---
 180c1e28 ServerSessionIDLookup (0, 16f, 20, a660a0, 4c2bd858, 48) + 370
 180afc5c ssl3_HandleClientHello (1f425c8, 180f64e8, fc00, ff01, 2c00, 2800) + 554
 180b34c0 ssl3_HandleHandshakeMessage (1f425c8, 315000c, 5d, 180b3230, 0, ffffd000) + 23c
 180b388c ssl3_HandleHandshake (1f42820, 1f42d50, 1f425c8, 0, 0, 5d) + 11c
 180b3f3c ssl3_HandleRecord (1f425c8, 0, 1f42820, 1, 0, 16) + 5a0
 180b5150 ssl3_GatherCompleteHandshake (1f425c8, 0, 5ea8150, 1, 1, 14dafc8c) + 54
 180b6af0 ssl_GatherRecord1stHandshake (1f425c8, 0, 0, a2cc1000, 8000, 1f425c8) + 30
 180bea80 ssl_Do1stHandshake (fffffffe, 1, 33f9450, 1f425c8, 1, 0) + ec
 180c04d8 ssl_SecureRecv (1f425c8, 16ee068, fff, 0, 1f425c8, 180f4ff4) + 1c8
 180c74e0 ssl_Recv (1eff888, 16ee068, fff, 180c0310, 2dc6c0, 1f425c8) + 9c
 18197768 __1cNDaemonSessionNGetConnection6M_i_ (21efac8, f5000, 2, 18265d84, 248e908, 248e908) + 1d4
 18197b54 __1cNDaemonSessionDrun6M_v_ (21efac8, 1000, 18273054, 0, 0, 1827300c) + f4
 17e96dec ThreadMain (21efac8, 26abf88, 40000, 2b4948, 1, b7f038) + 24
if that roughly lines up with:
823             if ((cndx = psce->u.ssl3.srvNameIndex) != -1) {

then yes.
Priority: -- → P1
Target Milestone: --- → 3.12.7
Blocks: 575620
This patch should fix the crash. But I'd like to spend a bit more time to review  name cache. Nelson, please review the patch. Thx
Attachment #455796 - Flags: review?(nelson)
Comment on attachment 455796 [details] [diff] [review]
Fix the crash in session search function(integrated)

r=nelson
Attachment #455796 - Flags: review?(nelson) → review+
Attachment #455796 - Attachment description: Fix the crash in session search function → Fix the crash in session search function(integrated)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: