Closed Bug 644070 Opened 9 years ago Closed 9 years ago

nsNSSCertificate::defaultServerNickname leaks in case of server name conflict

Categories

(Core :: Security: PSM, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla5

People

(Reporter: ehsan, Assigned: ehsan)

References

()

Details

(Keywords: memory-leak)

Attachments

(1 file, 1 obsolete file)

The OS X leaks report tool found this leak, under this stack:

[thread 0x12250a000]: | thread_start | _pthread_start | _pt_root | nsSSLThread::Run() | ssl_Write | ssl_SecureSend | ssl_Do1stHandshake | ssl_Gather      Record1stHandshake | ssl3_GatherCompleteHandshake | ssl3_HandleRecord | ssl3_HandleHandshakeMessage | AuthCertificateCallback(void*, PRFileDesc*, int, int) | nsNSSCerti      ficate::defaultServerNickname(CERTCertificateStr*) | PR_smprintf | PR_vsmprintf | dosprintf | GrowStuff | PR_Realloc | realloc | malloc_zone_realloc

What's happening is that if SEC_CertNicknameConflict returns false, we fail to free the value stored in nickname.

This may be one of the leaks of bug 497808.  I found it while I was trying to use the leaks tool to debug that bug.
Attached patch Patch (v1) (obsolete) — Splinter Review
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #521123 - Flags: review?(honzab.moz)
Comment on attachment 521123 [details] [diff] [review]
Patch (v1)

r=honzab
Attachment #521123 - Flags: review?(honzab.moz) → review+
Depends on: post2.0
Whiteboard: [post-2.0]
http://hg.mozilla.org/mozilla-central/rev/de9265797f0a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
No longer depends on: post2.0
Resolution: --- → FIXED
Whiteboard: [post-2.0]
Target Milestone: --- → mozilla2.2
Hmm, actually my patch was incorrect.  It turned the Mac browser-chrome suite orange (luckily) so I backed it out: http://hg.mozilla.org/mozilla-central/rev/741701875aec

If |conflict| is false, we end up returning |nickname|, so freeing it would be a mistake.

Seems like the job of freeing the returned string should be put on the callers, or we should just return a string instead of a char*...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch Patch (v2)Splinter Review
Attachment #521123 - Attachment is obsolete: true
Attachment #521373 - Flags: review?(honzab.moz)
Oh crap!  Collective blindness...  Will look at this ASAP.
Comment on attachment 521373 [details] [diff] [review]
Patch (v2)

Thanks.

r=honzab.
Attachment #521373 - Flags: review?(honzab.moz) → review+
http://hg.mozilla.org/mozilla-central/rev/f458cf4569b0
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Can someone confirm this as fixed?
No longer blocks: mlk-fx5+
You need to log in before you can comment on or make changes to this bug.