libssl: When decompressing, ssl3_HandleRecord doesn't zero-out plaintext buffer before freeing it

NEW
Unassigned

Status

NSS
Libraries
8 years ago
8 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

(Depends on: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

AFAICT, every buffer in libssl that may contain plaintext application data is supposed to be zeroed out. However, the temporary buffer used for decompression isn't zeroed out in ssl_HandleRecord.

The fix is to change the PORT_Free(plaintext->buf) to PORT_ZFree(plaintext->buf) everywhere in ssl3_HandleRecord.
The patch for bug 576902 contains a fix for this bug.
Depends on: 576902
You need to log in before you can comment on or make changes to this bug.