Closed Bug 581284 Opened 14 years ago Closed 13 years ago

valgrind reports invalid read [@ rc4_wordconv]

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 341127

People

(Reporter: jdm, Unassigned)

References

(
URL
)

Details

==17356== Thread 10:
==17356== Invalid read of size 4
==17356==    at 0x7BCB16F: rc4_wordconv (arcfour.c:555)
==17356==    by 0x7BCB480: RC4_Encrypt (arcfour.c:615)
==17356==    by 0x783DF62: RC4_Encrypt (loader.c:365)
==17356==    by 0x781F976: NSC_EncryptUpdate (pkcs11c.c:926)
==17356==    by 0x65B53B1: PK11_CipherOp (pk11cxt.c:732)
==17356==    by 0x6544475: ssl3_CompressMACEncryptRecord (ssl3con.c:2124)
==17356==    by 0x6544894: ssl3_SendRecord (ssl3con.c:2241)
==17356==    by 0x6544CC1: ssl3_SendApplicationData (ssl3con.c:2357)
==17356==    by 0x65648B4: ssl_SecureSend (sslsecur.c:1232)
==17356==    by 0x656499F: ssl_SecureWrite (sslsecur.c:1249)
==17356==    by 0x656C019: ssl_Write (sslsock.c:1641)
==17356==    by 0x5249ADB: nsSSLThread::Run() (nsSSLThread.cpp:1045)
==17356==  Address 0xe967190 is 440 bytes inside a block of size 441 alloc'd
==17356==    at 0x4005BDC: malloc (vg_replace_malloc.c:195)
==17356==    by 0x4036B78: moz_malloc (mozalloc.cpp:108)
==17356==    by 0x5771D41: NS_Alloc_P (nsMemoryImpl.cpp:279)
==17356==    by 0x43AC455: nsMemory::Alloc(unsigned int) (nsMemory.h:68)
==17356==    by 0x525E9B2: nsSSLSocketThreadData::ensure_buffer_size(int) (nsNSSIOLayer.cpp:196)
==17356==    by 0x524966B: nsSSLThread::requestWrite(nsNSSSocketInfo*, void const*, int, unsigned int) (nsSSLThread.cpp:882)
==17356==    by 0x52637E0: PSMSend(PRFileDesc*, void const*, int, int, unsigned int) (nsNSSIOLayer.cpp:2121)
==17356==    by 0x5263856: nsSSLIOLayerWrite(PRFileDesc*, void const*, int) (nsNSSIOLayer.cpp:2133)
==17356==    by 0x404C039: PR_Write (priometh.c:146)
==17356==    by 0x43C263D: nsSocketOutputStream::Write(char const*, unsigned int, unsigned int*) (nsSocketTransport2.cpp:576)
==17356==    by 0x44499FD: nsHttpConnection::OnReadSegment(char const*, unsigned int, unsigned int*) (nsHttpConnection.cpp:542)
==17356==    by 0x4458669: nsHttpTransaction::ReadRequestSegment(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (nsHttpTransaction.cpp:447)
==17356==
Assignee: nobody → nobody
Component: Security: PSM → Documentation
Product: Core → NSS
QA Contact: psm → documentation
Version: Trunk → trunk
Status: NEW → RESOLVED
Closed: 13 years ago
Component: Documentation → Libraries
QA Contact: documentation → libraries
Resolution: --- → DUPLICATE
The call stack referred to arcfour.c:555, rev. 1.19:

               /* If the amount of remaining input is greater than the amount
                * bytes pulled from the current input word, need to do another
                * word load.  What's left in inWord will be consumed in step 3.
                */
               if (inputLen > WORDSIZE - inOffset)
555                    inWord |= *pInWord RSH bufShift; /* UMR?  See above. */
       } else {
You need to log in before you can comment on or make changes to this bug.