Closed
Bug 95458
Opened 24 years ago
Closed 24 years ago
ASN1 decoder crashes when fed incorrect data
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: julien.pierre, Assigned: julien.pierre)
References
Details
(Keywords: crash)
Attachments
(1 file)
|
746 bytes,
patch
|
Details | Diff | Splinter Review |
When feeding a CRL encoded in PKCS#7 format from General Dynamics to the
CERT_DecodeCRL function, a crash occurs in the ASN1 decoder. The decoding is not
supposed to work as x509 format is expected; however the decoder should just
fail with an error rather than crash.
To reproduce the problem :
1)go to http://www.gd-cs.com/ieca
2) click on "download CRL"
3) select "PKCS#7"
4) save it to a file
5) run atob to convert it to binary and pipe to another file
6) use a tool that calls CERT_DecodeCRL to import the binary CRL file . I'm
assuming crlutil will do that
7) a crash occurs with a stack looking like this :
sec_asn1d_free_child(sec_asn1d_state_struct * 0x00b79a50, int 1) line 1212 + 12
bytes
SEC_ASN1DecoderUpdate(sec_DecoderContext_struct * 0x00b799c8, const char *
0x00b78d8f, unsigned long 3093) line 2471 + 11 bytes
SEC_ASN1Decode(PLArenaPool * 0x00b996e0, void * 0x00b77d88, const
sec_ASN1Template_struct * 0x002e64d0 cert_SignedCrlTemplate, const char *
0x00b78d80, long 3108) line 2628 + 17 bytes
SEC_ASN1DecodeItem(PLArenaPool * 0x00b996e0, void * 0x00b77d88, const
sec_ASN1Template_struct * 0x002e64d0 cert_SignedCrlTemplate, SECItemStr *
0x0012fad8) line 2644 + 31 bytes
CERT_DecodeDERCrl(PLArenaPool * 0x00000000, SECItemStr * 0x0012fad8, int 1) line
353 + 22 bytes
Comment 1•24 years ago
|
||
marking NEW.
Updated•24 years ago
|
Severity: critical → normal
Comment 2•24 years ago
|
||
Did you regret joining the NSS team? ;-)
Assignee: wtc → jpierre
Priority: -- → P2
Target Milestone: --- → 3.4
| Assignee | ||
Comment 3•24 years ago
|
||
*** Bug 101683 has been marked as a duplicate of this bug. ***
| Assignee | ||
Comment 4•24 years ago
|
||
| Assignee | ||
Updated•24 years ago
|
OS: Windows NT → All
Hardware: PC → All
| Assignee | ||
Updated•24 years ago
|
Priority: P2 → P1
Summary: ASN1 decoder crashes when fed incorrect PKCS#7 data → ASN1 decoder crashes when fed incorrect data
Comment 5•24 years ago
|
||
Comment on attachment 59460 [details] [diff] [review]
Proposed patch by liqi to fix the crash in ASN.1 decoder
>- while (state != NULL) {
>+ while (state != NULL&&stateEnd->parent!=state) {
It will be easier to read if space is added between the operators:
while (state != NULL && stateEnd->parent != state) {
Attachment #59460 -
Flags: needs-work+
| Assignee | ||
Comment 6•24 years ago
|
||
Fixed on the tip, with extra whitespace.
Checking in secasn1d.c;
/cvsroot/mozilla/security/nss/lib/util/secasn1d.c,v <-- secasn1d.c
new revision: 1.12; previous revision: 1.11
done
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•