Closed Bug 581284 Opened 15 years ago Closed 14 years ago

valgrind reports invalid read [@ rc4_wordconv]

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 341127

People

(Reporter: jdm, Unassigned)

References

(
URL
)

Details

==17356== Thread 10: ==17356== Invalid read of size 4 ==17356== at 0x7BCB16F: rc4_wordconv (arcfour.c:555) ==17356== by 0x7BCB480: RC4_Encrypt (arcfour.c:615) ==17356== by 0x783DF62: RC4_Encrypt (loader.c:365) ==17356== by 0x781F976: NSC_EncryptUpdate (pkcs11c.c:926) ==17356== by 0x65B53B1: PK11_CipherOp (pk11cxt.c:732) ==17356== by 0x6544475: ssl3_CompressMACEncryptRecord (ssl3con.c:2124) ==17356== by 0x6544894: ssl3_SendRecord (ssl3con.c:2241) ==17356== by 0x6544CC1: ssl3_SendApplicationData (ssl3con.c:2357) ==17356== by 0x65648B4: ssl_SecureSend (sslsecur.c:1232) ==17356== by 0x656499F: ssl_SecureWrite (sslsecur.c:1249) ==17356== by 0x656C019: ssl_Write (sslsock.c:1641) ==17356== by 0x5249ADB: nsSSLThread::Run() (nsSSLThread.cpp:1045) ==17356== Address 0xe967190 is 440 bytes inside a block of size 441 alloc'd ==17356== at 0x4005BDC: malloc (vg_replace_malloc.c:195) ==17356== by 0x4036B78: moz_malloc (mozalloc.cpp:108) ==17356== by 0x5771D41: NS_Alloc_P (nsMemoryImpl.cpp:279) ==17356== by 0x43AC455: nsMemory::Alloc(unsigned int) (nsMemory.h:68) ==17356== by 0x525E9B2: nsSSLSocketThreadData::ensure_buffer_size(int) (nsNSSIOLayer.cpp:196) ==17356== by 0x524966B: nsSSLThread::requestWrite(nsNSSSocketInfo*, void const*, int, unsigned int) (nsSSLThread.cpp:882) ==17356== by 0x52637E0: PSMSend(PRFileDesc*, void const*, int, int, unsigned int) (nsNSSIOLayer.cpp:2121) ==17356== by 0x5263856: nsSSLIOLayerWrite(PRFileDesc*, void const*, int) (nsNSSIOLayer.cpp:2133) ==17356== by 0x404C039: PR_Write (priometh.c:146) ==17356== by 0x43C263D: nsSocketOutputStream::Write(char const*, unsigned int, unsigned int*) (nsSocketTransport2.cpp:576) ==17356== by 0x44499FD: nsHttpConnection::OnReadSegment(char const*, unsigned int, unsigned int*) (nsHttpConnection.cpp:542) ==17356== by 0x4458669: nsHttpTransaction::ReadRequestSegment(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) (nsHttpTransaction.cpp:447) ==17356==
Assignee: nobody → nobody
Component: Security: PSM → Documentation
Product: Core → NSS
QA Contact: psm → documentation
Version: Trunk → trunk
Status: NEW → RESOLVED
Closed: 14 years ago
Component: Documentation → Libraries
QA Contact: documentation → libraries
Resolution: --- → DUPLICATE
The call stack referred to arcfour.c:555, rev. 1.19: /* If the amount of remaining input is greater than the amount * bytes pulled from the current input word, need to do another * word load. What's left in inWord will be consumed in step 3. */ if (inputLen > WORDSIZE - inOffset) 555 inWord |= *pInWord RSH bufShift; /* UMR? See above. */ } else {
You need to log in before you can comment on or make changes to this bug.