Closed Bug 633063 Opened 13 years ago Closed 12 years ago

Uninitialized memory read in CertDB common_FindCertByNicknameOrEmailAddrForUsage

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr10 wontfix)

Status:
RESOLVED FIXED
Milestone:
3.13.2
Tracking Flags:
Tracking Status
firefox-esr10 --- wontfix

People

(Reporter: briansmith, Assigned: KaiE)

References

Details

(Whiteboard: [sg:nse] might be critical for other uses)

Attachments

(1 file)

Patch v1
1.01 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review 
The variable "cert" might be read without having been assigned. If the unintialized value is non-NULL then the memory it points to will be corrupted by the call to CERT_DestroyCertificate.

common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, 
                                             const char *name,
                                             PRBool anyUsage,
                                             SECCertUsage lookingForUsage)
{
    [...]

    CERTCertificate *cert;

    [...] 

    if (anyUsage) {
      cert = PK11_FindCertFromNickname(name, NULL);
    }
    else {
      [...]

      certlist = PK11_FindCertsFromNickname(name, NULL);
      if (certlist) {
        SECStatus rv = CERT_FilterCertListByUsage(certlist, 
                                                  lookingForUsage, 
                                                  PR_FALSE);
        if (SECSuccess == rv &&
            !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) {
          cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert);
        }
        CERT_DestroyCertList(certlist);
      }
    }

    if (cert) {
	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
	CERT_DestroyCertificate(cert);
	if (ct) {
	    CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));

    [...]
}
I can't find any uses of the public entry point CERT_FindCertByNicknameOrEmailAddrForUsage anywhere in the Mozilla tree so it doesn't seem like it could be a security problem that affects us, but could be a problem for any NSS-using app that calls it.
Whiteboard: [sg:nse] might be critical for other uses
This issue has been reported publicly by :decoder in bug 714992, so we could open up this one, too.
Attached patch Patch v1Splinter Review 
Assignee: nobody → kaie

        Attachment #587755 -
        Flags: review?(rrelyea)

    
    

    
  
Comment on attachment 587755 [details] [diff] [review]
Patch v1

r+ rrelyea

        Attachment #587755 -
        Flags: review?(rrelyea) → review+

    
    

    
  
can we open this bug?


Checking in stanpcertdb.c;
/cvsroot/mozilla/security/nss/lib/certdb/stanpcertdb.c,v  <--  stanpcertdb.c
new revision: 1.89; previous revision: 1.88
done
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.13.2
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: