User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/220.127.116.115 Safari/532.5 Build Identifier: nss-3.12.4-with-nspr-4.8 tstclnt crashes due to lack of input sanitization. Empty(NULL) values directly passed to PORT_Strdup(). Reproducible: Always Steps to Reproduce: 1. Build and install NSS tools 2. Try to invoke tstclnt -h (or tstclnt -c, tstclnt -d, tstclnt -w, tstclnt -W) Actual Results: Tool crashed with segmentation fault. GDB says: debian:~/nss# gdb -q bin/tstclnt (gdb) r -h Starting program: /root/nss/nss-3.12.4-with-nspr-4.8/mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/bin/tstclnt -h [Thread debugging using libthread_db enabled] [New Thread 0xb7c146b0 (LWP 11564)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb7c146b0 (LWP 11564)] 0xb7c8c3b3 in strlen () from /lib/i686/cmov/libc.so.6 (gdb) where #0 0xb7c8c3b3 in strlen () from /lib/i686/cmov/libc.so.6 #1 0xb7df410c in PORT_Strdup_Util (str=0x0) at secport.c:168 #2 0x0804c9c3 in main (argc=2, argv=0xbfae5274) at tstclnt.c:555 Expected Results: There should be no crash, but usage information should be printed.
Created attachment 438784 [details] [diff] [review] Patch that adds sanity check for passed arguments
Comment on attachment 438784 [details] [diff] [review] Patch that adds sanity check for passed arguments r=nelson. Thanks! Some lines are too long. Will wrap them before committing.
Comment on attachment 438784 [details] [diff] [review] Patch that adds sanity check for passed arguments I'm sorry, I must retract my r+ review, and change it to r-. The problem is that this patch does not apply cleanly to the current NSS source tree. This patch was apparently created against an older version of NSS. It didn't apply cleanly to the trunk as of the date it was submitted (so this is not a problem caused by delayed reviewing). Now, you could submit another patch, but I suggest that, instead, you try one of the patches attached to bug 547677. I believe that patch will solve the problem for ALL NSS programs at once, without needing to modify each and every one of them. Please try it and let us know if that is a satisfactory solution for you.
Nelson: No problem. The issue is not reproduced with patch #2 applied to most recent NSS (3.12.6).