Closed Bug 633063 Opened 14 years ago Closed 13 years ago

Uninitialized memory read in CertDB common_FindCertByNicknameOrEmailAddrForUsage

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr10 wontfix)

Status:
RESOLVED FIXED
Milestone:
3.13.2
Tracking Flags:
Tracking Status
firefox-esr10 --- wontfix

People

(Reporter: briansmith, Assigned: KaiE)

References

Details

(Whiteboard: [sg:nse] might be critical for other uses)

Attachments

(1 file)

Patch v1
1.01 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
The variable "cert" might be read without having been assigned. If the unintialized value is non-NULL then the memory it points to will be corrupted by the call to CERT_DestroyCertificate. common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, const char *name, PRBool anyUsage, SECCertUsage lookingForUsage) { [...] CERTCertificate *cert; [...] if (anyUsage) { cert = PK11_FindCertFromNickname(name, NULL); } else { [...] certlist = PK11_FindCertsFromNickname(name, NULL); if (certlist) { SECStatus rv = CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE); if (SECSuccess == rv && !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) { cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert); } CERT_DestroyCertList(certlist); } } if (cert) { c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert)); CERT_DestroyCertificate(cert); if (ct) { CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); [...] }
I can't find any uses of the public entry point CERT_FindCertByNicknameOrEmailAddrForUsage anywhere in the Mozilla tree so it doesn't seem like it could be a security problem that affects us, but could be a problem for any NSS-using app that calls it.
Whiteboard: [sg:nse] might be critical for other uses
This issue has been reported publicly by :decoder in bug 714992, so we could open up this one, too.
Attached patch Patch v1Splinter Review
Assignee: nobody → kaie
Attachment #587755 - Flags: review?(rrelyea)
Comment on attachment 587755 [details] [diff] [review] Patch v1 r+ rrelyea
Attachment #587755 - Flags: review?(rrelyea) → review+
can we open this bug? Checking in stanpcertdb.c; /cvsroot/mozilla/security/nss/lib/certdb/stanpcertdb.c,v <-- stanpcertdb.c new revision: 1.89; previous revision: 1.88 done
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.13.2
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: