Closed Bug 672594 Opened 13 years ago Closed 8 years ago

Firefox Crash [@ ssl3_HandleCertificate ]

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.9
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This is showing on the explosive crash report as having significantly increased in 5.0 and 5.0.1 - https://crash-stats.mozilla.com/report/list?signature=ssl3_HandleCertificate. Explosive crash report is here: http://test.kairo.at/socorro/2011-07-18.firefox.5.explosiveness.html https://crash-stats.mozilla.com/report/index/cb056648-f02c-4205-8f26-256b92110719 Frame Module Signature [Expand] Source 0 ssl3.dll ssl3_HandleCertificate security/nss/lib/ssl/ssl3con.c:7937 1 ssl3.dll ssl3_HandleHandshakeMessage security/nss/lib/ssl/ssl3con.c:8603 2 ssl3.dll ssl3_HandleHandshake security/nss/lib/ssl/ssl3con.c:8727 3 ssl3.dll ssl3_HandleRecord security/nss/lib/ssl/ssl3con.c:9066 4 ssl3.dll ssl3_GatherCompleteHandshake security/nss/lib/ssl/ssl3gthr.c:209 5 ssl3.dll ssl_GatherRecord1stHandshake security/nss/lib/ssl/sslcon.c:1258 6 ssl3.dll ssl_Do1stHandshake security/nss/lib/ssl/sslsecur.c:151 7 ssl3.dll ssl_SecureSend security/nss/lib/ssl/sslsecur.c:1213 8 ssl3.dll ssl_SecureWrite security/nss/lib/ssl/sslsecur.c:1258 9 ssl3.dll ssl_Write security/nss/lib/ssl/sslsock.c:1652 10 xul.dll nsSSLThread::Run 11 nspr4.dll _PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c:426 12 nspr4.dll pr_root nsprpub/pr/src/md/windows/w95thred.c:122 13 mozcrt19.dll _callthreadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:348 14 mozcrt19.dll __dllonexit obj-firefox/memory/jemalloc/crtsrc/onexit.c:276 15 mozcrt19.dll _threadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:326 16 kernel32.dll GetCodePageFileInfo
chofmann suggested adding Kai and mrz in case this has something to do with a certificate.
Correlations: 100% (641/642) vs. 1% (710/107977) spdg.dll This somehow sounds similar to bug 627716 - there we seemed to assume that spdg.dll is malware, but still, crashing in certificate stuff always makes me worry. Should we blocklist that DLL? Is there something in our code that's wrong?
I assume the source code locations refer to Firefox 5, which uses NSS 3.12.9. The crashing line security/nss/lib/ssl/ssl3con.c:7937 is this code: cert = ss->sec.peerCert; if (!isServer && ssl3_global_policy_some_restricted && ss->ssl3.policy == SSL_ALLOWED && anyRestrictedEnabled(ss) && SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert, PR_FALSE, /* checkSig */ certUsageSSLServerWithStepUp, /*XXX*/ ss->authCertificateArg) ) { (It's funny the crashing line is marked XXX in the code...) I think the crash cannot be related to dereferencing ss-> because if ss were null, it would have crashed earlier in this function. Maybe cert is null, maybe the handshake we received contained bad data, and we fail to construct a cert object. However, the code attempts to deal with that scenario, and would abort prior to this line of code. Most of ssl3_HandleCertificate and ssl3_ConsumeHandshakeNumber hasn't changed in years, according to CVS blame.
Version: 3.0 → 3.12.9
I agree with Kai's analysis. I don't see any potential null pointer dereference by code inspection.
Depends on: 716345
Crash Signature: [@ ssl3_HandleCertificate ] → ssl_Write | nsSSLThread::Run] [@ ssl3_HandleCertificate ] [@ ssl3_HandleCertificate | ssl3_HandleHandshakeMessage | ssl3_HandleHandshake | ssl3_HandleRecord | ssl3_GatherCompleteHandshake | ssl_GatherRecord1stHandshake | ssl_Do1stHandshake | ssl_SecureSe…
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) in Firefox (except some obsolete Fx <46).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.