Closed
Bug 95458
Opened 23 years ago
Closed 23 years ago
ASN1 decoder crashes when fed incorrect data
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: julien.pierre, Assigned: julien.pierre)
References
Details
(Keywords: crash)
Attachments
(1 file)
746 bytes,
patch
|
Details | Diff | Splinter Review |
When feeding a CRL encoded in PKCS#7 format from General Dynamics to the CERT_DecodeCRL function, a crash occurs in the ASN1 decoder. The decoding is not supposed to work as x509 format is expected; however the decoder should just fail with an error rather than crash. To reproduce the problem : 1)go to http://www.gd-cs.com/ieca 2) click on "download CRL" 3) select "PKCS#7" 4) save it to a file 5) run atob to convert it to binary and pipe to another file 6) use a tool that calls CERT_DecodeCRL to import the binary CRL file . I'm assuming crlutil will do that 7) a crash occurs with a stack looking like this : sec_asn1d_free_child(sec_asn1d_state_struct * 0x00b79a50, int 1) line 1212 + 12 bytes SEC_ASN1DecoderUpdate(sec_DecoderContext_struct * 0x00b799c8, const char * 0x00b78d8f, unsigned long 3093) line 2471 + 11 bytes SEC_ASN1Decode(PLArenaPool * 0x00b996e0, void * 0x00b77d88, const sec_ASN1Template_struct * 0x002e64d0 cert_SignedCrlTemplate, const char * 0x00b78d80, long 3108) line 2628 + 17 bytes SEC_ASN1DecodeItem(PLArenaPool * 0x00b996e0, void * 0x00b77d88, const sec_ASN1Template_struct * 0x002e64d0 cert_SignedCrlTemplate, SECItemStr * 0x0012fad8) line 2644 + 31 bytes CERT_DecodeDERCrl(PLArenaPool * 0x00000000, SECItemStr * 0x0012fad8, int 1) line 353 + 22 bytes
Comment 1•23 years ago
|
||
marking NEW.
Updated•23 years ago
|
Severity: critical → normal
Comment 2•23 years ago
|
||
Did you regret joining the NSS team? ;-)
Assignee: wtc → jpierre
Priority: -- → P2
Target Milestone: --- → 3.4
Assignee | ||
Comment 3•23 years ago
|
||
*** Bug 101683 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 4•23 years ago
|
||
Assignee | ||
Updated•23 years ago
|
OS: Windows NT → All
Hardware: PC → All
Assignee | ||
Updated•23 years ago
|
Priority: P2 → P1
Summary: ASN1 decoder crashes when fed incorrect PKCS#7 data → ASN1 decoder crashes when fed incorrect data
Comment 5•23 years ago
|
||
Comment on attachment 59460 [details] [diff] [review] Proposed patch by liqi to fix the crash in ASN.1 decoder >- while (state != NULL) { >+ while (state != NULL&&stateEnd->parent!=state) { It will be easier to read if space is added between the operators: while (state != NULL && stateEnd->parent != state) {
Attachment #59460 -
Flags: needs-work+
Assignee | ||
Comment 6•23 years ago
|
||
Fixed on the tip, with extra whitespace. Checking in secasn1d.c; /cvsroot/mozilla/security/nss/lib/util/secasn1d.c,v <-- secasn1d.c new revision: 1.12; previous revision: 1.11 done
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•