Bug 717338

Summary: pem module may attempt to free an uninitialized pointer
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: emaldona, kdudka, kengert
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 805232 (view as bug list) Environment:
Last Closed: 2012-03-20 20:36:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 805232, 847462    
Attachments:
Description Flags
minimal attempt at a reproducer
none
patch for NSS which fixes my application none

Description Nalin Dahyabhai 2011-06-28 15:23:32 UTC 
Description of problem:
When my application attempts to load a private key file, it crashes in pem_CreateObject().

Version-Release number of selected component (if applicable):
nss-3.12.10-4.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
1. SECMOD_LoadUserModule(libnsspem.so)
2. PK11_CreateGenericObject(CKA_CLASS=CKO_PRIVATE_KEY,CKA_TOKEN=CK_TRUE)
  
Actual results:
pem_CreateObject() passes an uninitialized certDER.data to nss_ZFreeIf()

Additional info:
When I cut it down to the bare minimum to try to create a simpler reproducer, I don't get a crash any more, but valgrind at least still flags the errors.
Comment 1 Nalin Dahyabhai 2011-06-28 15:24:30 UTC 
Created attachment 510308 [details]
minimal attempt at a reproducer
Comment 2 Nalin Dahyabhai 2011-06-28 15:59:56 UTC 
Created attachment 510313 [details]
patch for NSS which fixes my application
Comment 3 Elio Maldonado Batiz 2011-09-12 16:09:05 UTC 
Nalin, I'm picking up your patch. It will be applied with other I have in the queue. Thanks.
Comment 4 Kai Engert (:kaie) (inactive account) 2012-03-20 20:36:56 UTC 
I see the fix is already in rawhide, closing.