Closed Bug 974693 Opened 6 years ago Closed 6 years ago

memory corruption in sec_pkcs12_new_asafe()

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: maksqwe1, Assigned: maksqwe1)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release)
Build ID: 20140212131424

Steps to reproduce:

.\security\nss\lib\pkcs12\p12creat.c - 57 - sec_pkcs12_new_asafe()

PORT_Memset(&asafe->old_baggage, 0, sizeof(SEC_PKCS7ContentInfo));



Actual results:

"asafe->old_baggage" is SEC_PKCS12Baggage_OLD that greatly smaller then SEC_PKCS7ContentInfo
Component: Security → Libraries
Product: Core → NSS
Version: Trunk → trunk
Comment on attachment 8378659 [details] [diff] [review]
mem_corruption.patch

Patches go easily unnoticed without reviewers. Please reassign to someone else if it's not your area. If it's an unwanted change then please change bug status accordingly.
Attachment #8378659 - Flags: review?(ryan.sleevi)
I can't edit "Assigned To" field. I'll be glad if you help me with this.
Sorry I was so unclear. I meant that the reviewer can delegate the review if needed but at least it's on somebody's radar.
Assignee: nobody → maksqwe1
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8378659 - Flags: review?(ryan.sleevi) → review+
I'm guessing you need this checked in as well?
Thank you Maks!

https://hg.mozilla.org/projects/nss/rev/3dc628d58607
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.16
Comment on attachment 8378659 [details] [diff] [review]
mem_corruption.patch

Review of attachment 8378659 [details] [diff] [review]:
-----------------------------------------------------------------

r=wtc.

::: security/nss/lib/pkcs12/p12creat.c
@@ +54,4 @@
>      if(asafe == NULL)
>  	goto loser;
>      asafe->poolp = poolp;
> +    PORT_Memset(&asafe->old_baggage, 0, sizeof(SEC_PKCS12Baggage_OLD));

A common way to avoid this kind of bug is to say sizeof(asafe->old_baggage).
Attachment #8378659 - Flags: review+
OS: Windows 7 → All
Priority: -- → P1
Hardware: x86_64 → All
You need to log in before you can comment on or make changes to this bug.