Closed
Bug 793033
Opened 12 years ago
Closed 12 years ago
Remove the strange sslSocket copying in ssl_FreeSocket
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.14
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file)
1.55 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
In DEBUG build, ssl_FreeSocket makes a copy of the sslSocket structure, overwrites the old sslSocket structure with the 0x1f pattern, destroys the members (using the new copy), and then frees the old sslSocket structure. This strange sslSocket copying is in the original rev. 1.1, so I can't find out from CVS history what the motivation is. It is most likely a debugging aid. If any pointer member of the sslSocket structure points to another member of the structure, that pointer member in the new copy will be pointing to the wrong copy (the old structure). This prevented Ekr from declaring a PRCList as a member of the sslSocket structure. (PRCList contains two pointers. If a PRCList is empty, the two pointers point to the PRCList itself.) http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/sslimpl.h&rev=1.107&mark=819-823#819 Now, this strange sslSocket copying also messes up a patch to extend AESContext with a pointer member that points to allocated memory. The event sequence is: AES_InitContext(&(some member of sslSocket), ...); ... #ifdef DEBUG memset(ss, 0x1f, sizeof(*ss)); #endif ... AES_DestroyContext(&(some member of sslSocket), PR_FALSE); In a debug build, that AESContext structure embedded in sslSocket will have been overwritten with the 0x1f pattern by the time we call AES_DestroyContext(..., PR_FALSE), so all the members of that AESContext structure are messed up. This isn't a problem now because AES_DestroyContext() is a no-op if 'freeit' is PR_FALSE. If we change AES_DestroyContext() to inspect any member of the AESContext strucutre when 'freeit' is PR_FALSE, things will go wrong. I think the blame should be assigned to the memset(ss, 0x1f, sizeof(*ss)) call before the AES_DestroyContext(..., PR_FALSE) call, rather than to AES_DestroyContext(..., PR_FALSE). We should not mess up a structure before passing it to a Destroy function. I proposed that we remove the strange sslSocket copying from ssl_FreeSocket.
Attachment #663199 -
Flags: review?(rrelyea)
Comment 1•12 years ago
|
||
Comment on attachment 663199 [details] [diff] [review] Proposed patch r+ rrelyea
Attachment #663199 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 2•12 years ago
|
||
Patch checked in on the NSS trunk (NSS 3.14). Checking in sslsock.c; /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v <-- sslsock.c new revision: 1.96; previous revision: 1.95 done
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.14
You need to log in
before you can comment on or make changes to this bug.
Description
•