Closed Bug 556497 Opened 16 years ago Closed 15 years ago

ServerSessionIDLookup tries very hard to crash if !gotLock or pcce->sessionIDLength != psce->sessionIDLength

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.7

People

(Reporter: timeless, Assigned: alvolkov.bgs)

References

(
URL
)

Details

(Keywords: coverity, crash)

Attachments

(1 file)

Fix the crash in session search function(integrated)
737 bytes, patch
nelson
: review+
Details | Diff | Splinter Review
769 ServerSessionIDLookup(const PRIPv6Addr *addr, 775 sidCacheEntry * psce; 792 if (psce) { 793 if (psce->version >= SSL_LIBRARY_VERSION_3_0) { 794 if ((cndx = psce->u.ssl3.certIndex) != -1) { 797 if (gotLock) { 801 if ((pcce->sessionIDLength == psce->sessionIDLength) && 805 } else { 810 psce = 0; 814 } else { 818 PORT_Assert(!("Didn't get cert Cache Lock!")); 819 psce = 0; 823 if ((cndx = psce->u.ssl3.srvNameIndex) != -1) {
Assignee: nobody → alexei.volkov.bugs
Could the following stack be related to this bug: ----------------- lwp# 550 / thread# 550 -------------------- feecc95c _lwp_kill (6, 0, fef35020, feeac1f8, ffffffff, 6) + 8 fee41a2c abort (7400, 1, 7c00, eea98, fef33418, 0) + 110 fea85c48 __1cCosFabort6Fi_v_ (1, 0, fec1b5b4, febe6000, 7dd4, 7c00) + 58 feb1626c __1cHVMErrorOreport_and_die6M_v_ (0, fec43ca0, fec3d3b4, 1, fea8a34c, fec3d3b4) + c84 fe678f1c JVM_handle_solaris_signal (b, 14dae3d0, 14dae118, 8000, fec3c360, 3ec7708) + ab4 feec8d94 __sighndlr (b, 14dae3d0, 14dae118, fe678430, 0, 1) + c feebd440 call_user_handler (b, ffbffeff, c, 0, 162b6200, 14dae118) + 3b8 feebd614 sigacthandler (b, 14dae3d0, 14dae118, 0, 162b6200, 0) + 4c --- called from signal handler with signal 11 (SIGSEGV) --- 180c1e28 ServerSessionIDLookup (0, 16f, 20, a660a0, 4c2bd858, 48) + 370 180afc5c ssl3_HandleClientHello (1f425c8, 180f64e8, fc00, ff01, 2c00, 2800) + 554 180b34c0 ssl3_HandleHandshakeMessage (1f425c8, 315000c, 5d, 180b3230, 0, ffffd000) + 23c 180b388c ssl3_HandleHandshake (1f42820, 1f42d50, 1f425c8, 0, 0, 5d) + 11c 180b3f3c ssl3_HandleRecord (1f425c8, 0, 1f42820, 1, 0, 16) + 5a0 180b5150 ssl3_GatherCompleteHandshake (1f425c8, 0, 5ea8150, 1, 1, 14dafc8c) + 54 180b6af0 ssl_GatherRecord1stHandshake (1f425c8, 0, 0, a2cc1000, 8000, 1f425c8) + 30 180bea80 ssl_Do1stHandshake (fffffffe, 1, 33f9450, 1f425c8, 1, 0) + ec 180c04d8 ssl_SecureRecv (1f425c8, 16ee068, fff, 0, 1f425c8, 180f4ff4) + 1c8 180c74e0 ssl_Recv (1eff888, 16ee068, fff, 180c0310, 2dc6c0, 1f425c8) + 9c 18197768 __1cNDaemonSessionNGetConnection6M_i_ (21efac8, f5000, 2, 18265d84, 248e908, 248e908) + 1d4 18197b54 __1cNDaemonSessionDrun6M_v_ (21efac8, 1000, 18273054, 0, 0, 1827300c) + f4 17e96dec ThreadMain (21efac8, 26abf88, 40000, 2b4948, 1, b7f038) + 24
if that roughly lines up with: 823 if ((cndx = psce->u.ssl3.srvNameIndex) != -1) { then yes.
Priority: -- → P1
Target Milestone: --- → 3.12.7
Blocks: 575620
This patch should fix the crash. But I'd like to spend a bit more time to review name cache. Nelson, please review the patch. Thx
Attachment #455796 - Flags: review?(nelson)
Comment on attachment 455796 [details] [diff] [review] Fix the crash in session search function(integrated) r=nelson
Attachment #455796 - Flags: review?(nelson) → review+
Attachment #455796 - Attachment description: Fix the crash in session search function → Fix the crash in session search function(integrated)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: