Uninitialized memory read in CertDB common_FindCertByNicknameOrEmailAddrForUsage

RESOLVED FIXED in 3.13.2

Status

NSS
Libraries
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: briansmith, Assigned: kaie)

Tracking

Firefox Tracking Flags

(firefox-esr10 wontfix)

Details

(Whiteboard: [sg:nse] might be critical for other uses)

Attachments

(1 attachment)

The variable "cert" might be read without having been assigned. If the unintialized value is non-NULL then the memory it points to will be corrupted by the call to CERT_DestroyCertificate.

common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, 
                                             const char *name,
                                             PRBool anyUsage,
                                             SECCertUsage lookingForUsage)
{
    [...]

    CERTCertificate *cert;

    [...] 

    if (anyUsage) {
      cert = PK11_FindCertFromNickname(name, NULL);
    }
    else {
      [...]

      certlist = PK11_FindCertsFromNickname(name, NULL);
      if (certlist) {
        SECStatus rv = CERT_FilterCertListByUsage(certlist, 
                                                  lookingForUsage, 
                                                  PR_FALSE);
        if (SECSuccess == rv &&
            !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) {
          cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert);
        }
        CERT_DestroyCertList(certlist);
      }
    }

    if (cert) {
	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
	CERT_DestroyCertificate(cert);
	if (ct) {
	    CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));

    [...]
}
I can't find any uses of the public entry point CERT_FindCertByNicknameOrEmailAddrForUsage anywhere in the Mozilla tree so it doesn't seem like it could be a security problem that affects us, but could be a problem for any NSS-using app that calls it.
Whiteboard: [sg:nse] might be critical for other uses
(Assignee)

Comment 2

6 years ago
This issue has been reported publicly by :decoder in bug 714992, so we could open up this one, too.
(Assignee)

Updated

6 years ago
Duplicate of this bug: 714992
(Assignee)

Comment 4

6 years ago
Created attachment 587755 [details] [diff] [review]
Patch v1
Assignee: nobody → kaie
Attachment #587755 - Flags: review?(rrelyea)

Comment 5

6 years ago
Comment on attachment 587755 [details] [diff] [review]
Patch v1

r+ rrelyea
Attachment #587755 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 6

6 years ago
can we open this bug?


Checking in stanpcertdb.c;
/cvsroot/mozilla/security/nss/lib/certdb/stanpcertdb.c,v  <--  stanpcertdb.c
new revision: 1.89; previous revision: 1.88
done
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.13.2
status-firefox-esr10: --- → wontfix
Group: core-security
You need to log in before you can comment on or make changes to this bug.