Closed Bug 590806 Opened 15 years ago Closed 1 year ago

Memory leak in pk11_PubDeriveECKeyWithKDF

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: briansmith, Assigned: anna.weine)

References

(
URL
)

Details

Attachments

(1 file)

Bug 590806 - Freeing symKey in pk11_PubDeriveECKeyWithKDF when a key_size is 0 and wrong kdf
48 bytes, text/x-phabricator-request
Details | Review
/* get our key Structure */ symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx); [...] case CKD_SHA1_KDF: key_size = SHA1_LENGTH; break; default: PORT_Assert(!"Invalid CKD"); PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL;
Blocks: 615799
We are not clear on how this bug is impact by our plugin , can you please clarify details on environment, call stacks, etc to attempt to reproduce if so?
No longer blocks: 615799
Lilian, are you sure your comment was meant for this bug? Brian, Your initial description was so terse that I ignored it, until now, figuring you would add detail later. You see to be referring to these lines of code: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11skey.c&rev=1.122&mark=1802,1818,1821-1824,1832-1834#1801 The function is a static function. It has one caller, namely, public function PK11_PubDeriveWithKDF, of which there are 5 callers in libSSL and one caller in PSM, in nsSet_EC_DHMAC_ProofOfPossession. The path that leaks requires that the function be called with zero for the "keySize" argument, and with an unrecognized value for the kdf type argument. This is essentially an invalid combination of arguments, but it still should not leak. It's conceivable that some Skype plugin is calling it with this combination of arguments, but I see no evidence for or against that hypothesis here.
Blocks: 615799
URL: http://bonsai.mozilla.org/cvsblame.cg...
No longer blocks: 615799
Nelson, this bug was associated with the Skype tracking bug by mistake. Thanks for filling in the missing details regarding the leak.
Severity: minor → S4
Priority: -- → P5
Attachment #9414336 - Attachment description: WIP: Bug 590806 - Freeing symKey in pk11_PubDeriveECKeyWithKDF when a key_size is 0 and wrong kdf → Bug 590806 - Freeing symKey in pk11_PubDeriveECKeyWithKDF when a key_size is 0 and wrong kdf
Assignee: nobody → anna.weine

https://hg.mozilla.org/projects/nss/rev/eed1dfdf09a7c9ba9dafc8455919feb4b82e318e

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: