661907 - Double free in NSS_CMSSignerInfo_Sign causes crash when C_Sign is cancelled

Status: RESOLVED DUPLICATE of bug 621664

(MailNews Core :: Security: S/MIME, defect)

Description

[Rasmus Faber]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.1 Safari/535.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10

The method NSS_CMSSignerInfo_Sign() in cmssiginfo.c always calls PORT_FreeArena(tmppoolp, PR_FALSE) immediately after SEC_SignData(). If SEC_SignData() does not return SECSuccess, it then jumps to the error-cleanup where tmppoolp is freed again, causing a crash.

A simple fix would be to set tmppoolp to NULL as soon as it has been freed.

The problem was introduced when fixing the memoryleak in https://bugzilla.mozilla.org/show_bug.cgi?id=587432

Reproducible: Sometimes

Steps to Reproduce:
1. Install a PKCS#11 library that can cancel C_Sign or otherwise fail to complete the call.
2. Attempt to digitally sign a message using Thunderbird or cmsutil.
3. Cause the PKCS#11 module to return something else than CKR_OK (f.x. CKR_FUNCTION_CANCELLED).

Actual Results:  
Segmentation fault

Expected Results:  
An error-message explaining that the operation was aborted.

Comment 1

[Rasmus Faber]

Attachment: Avoid double free by setting tmppoolp to NULL after the first free.

Comment 2

[Rasmus Faber]

Apparently a duplicate of bug 621664.

Comment 3

[Mark Banner (:standard8)]

Comment on attachment 537378 [details] [diff] [review]
Avoid double free by setting tmppoolp to NULL after the first free.

Removing obsolete review request for patch that was landed in a bug this was marked as duplicate of.