Bug 248722 - mod_nss will core if the certificate has no X.509 version
Summary: mod_nss will core if the certificate has no X.509 version
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat Fortitude
Classification: Retired
Component: General
Version: 1.0
Hardware: All
OS: All
low
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-18 13:35 UTC by Rob Crittenden
Modified: 2020-03-27 18:34 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-27 18:34:01 UTC
Embargoed:

Attachments (Terms of Use)
See if the secitem has data in it before calling DER_GetInteger() (862 bytes, patch)
2008-01-03 21:34 UTC, Rob Crittenden 		no flags Details | Diff
View All

Description Rob Crittenden 2007-07-18 13:35:15 UTC 
User on Solaris 10 reports that mod_nss causes Apache to core when generating
the CGI environment variables in the call to DER_GetInteger().

Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 8]
0xfe95b5f8 in DER_GetInteger () from /usr/lib/mps/libnss3.so
(gdb) bt full
#0  0xfe95b5f8 in DER_GetInteger () from /usr/lib/mps/libnss3.so
No symbol table info available.
#1  0xfeedf944 in nss_var_lookup_nss_cert (p=0x161c98, xs=0x146788,
var=0xfeee7d2b "M_VERSION", c=0x14c2a8) at nss_engine_vars.c:324
        result = <value optimized out>
        xsname = <value optimized out>
#2  0xfeee0418 in nss_var_lookup (p=0x161c98, s=<value optimized out>,
c=0x14c2a8, r=0x161cd0, var=0xfeee7d20 "SSL_SERVER_M_VERSION")
    at nss_engine_vars.c:306
        sslconn = <value optimized out>
        mc = <value optimized out>
        result = <value optimized out>
        tm = {tm_usec = 1455119, tm_sec = 1059672, tm_min = 1450224, tm_hour =
1452552, tm_mday = 0, tm_mon = 0, tm_year = 0,
  tm_wday = 0, tm_yday = 1, tm_isdst = 1455024, tm_gmtoff = 95}
#3  0xfeedda94 in nss_hook_Fixup (r=0x161cd0) at nss_engine_kernel.c:809
        sslconn = <value optimized out>
        ssl = (PRFileDesc *) 0x543a98
        env = (apr_table_t *) 0x1620f0
        var = 0xfeee7d20 "SSL_SERVER_M_VERSION"
        val = <value optimized out>
        i = <value optimized out>
        cert = <value optimized out>
        chain = <value optimized out>
#4  0x00041a5c in ap_run_fixups ()
No symbol table info available.
#5  0x00042cc8 in ap_process_request_internal ()
No symbol table info available.
#6  0x00064f54 in ap_process_request ()
No symbol table info available.
#7  0x000608f8 in ?? ()
No symbol table info available.
#8  0x000608f8 in ?? ()
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Examination of the process reveals that the SecItem contains {type: 0 =
siBuffer, data = 0x0, len = 0}.
Indeed, if I step into frame 1 and print xs, I get:

(gdb) print *xs
$5 = {arena = 0x5834f0, subjectName = 0x586bf8
"C=ch,ST=zh,L=zh,OU=devel,O=visonys,CN=iischia0.visonys.com",
  issuerName = 0x586c38 "C=ch,ST=zh,L=zh,OU=devel,O=visonys,CN=MyCA",
signatureWrap = {data = {type = siBuffer,
      data = 0x58675c "0\202\001\230\002\001\0020\r\006\t*\206H\206
r\001\001\005\005", len = 412}, signatureAlgorithm = {algorithm = {
        type = siBuffer, data = 0x5868fc "*\206H\206 r\001\001\005\005", len =
9}, parameters = {type = siBuffer,
        data = 0x586905 "\005", len = 2}}, signature = {type = siBuffer,
      data = 0x58690b "\202jY #+   002H  004\003# 1\202\t\202 025\b w<
030\031E\177\031\002 \004H\f%\003\016\222 o[\203i\a t\0361?0\233P\016J\235h
4\v\206\201\037\2251\vGu\216$ b\022\002\217ʨW\\\020  021yw8 | 017 \v}\035", len
= 1024}},
  derCert = {type = siBuffer, data = 0x586758
"0\202\002/0\202\001\230\002\001\0020\r\006\t*\206H\206 r\001\001\005\005", len
= 563},
  derIssuer = {type = siBuffer,
    data = 0x586772
"0X1\r0\v\006\003U\004\003\023\004MyCA1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\036\027\r070614162332Z\027\r080614162332Z0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002"...,
len = 90}, derSubject = {type = siBuffer,
    data = 0x5867ec
"0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\201\2370\r\006\t*\206H\206
r\001\001\001\005", len = 106}, derPublicKey = {type = siBuffer, data = 0x586856
"0\201\2370\r\006\t*\206H\206 r\001\001\001\005",
    len = 162}, certKey = {type = siBuffer,
    data = 0x586b80
"\0020X1\r0\v\006\003U\004\003\023\004MyCA1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch",
len = 91}, version = {type = siBuffer,
    data = 0x0, len = 0}, serialNumber = {type = siBuffer, data = 0x586762
"\0020\r\006\t*\206H\206 r\001\001\005\005", len = 1},
  signature = {algorithm = {type = siBuffer, data = 0x586767 "*\206H\206
r\001\001\005\005", len = 9}, parameters = {type = siBuffer,
      data = 0x586770 "\005", len = 2}}, issuer = {arena = 0x0, rdns =
0x586990}, validity = {arena = 0x0, notBefore = {
      type = siUTCTime,
      data = 0x5867d0
"070614162332Z\027\r080614162332Z0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\201\2370\r\006\t*\206H\206
r\001\001\001\005", len = 13}, notAfter = {type = siUTCTime,
      data = 0x5867df
"080614162332Z0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\201\2370\r\006\t*\206H\206
r\001\001\001\005", len = 13}}, subject = {arena = 0x0, rdns = 0x586a88},
subjectPublicKeyInfo = {arena = 0x0,
    algorithm = {algorithm = {type = siBuffer, data = 0x58685d "*\206H\206
r\001\001\001\005", len = 9}, parameters = {type = siBuffer,
        data = 0x586866 "\005", len = 2}}, subjectPublicKey = {type = siBuffer,
data = 0x58686c "0\201\211\002\201\201", len = 1120}},
  issuerID = {type = siBuffer, data = 0x0, len = 0}, subjectID = {type =
siBuffer, data = 0x0, len = 0}, extensions = 0x0,
  emailAddr = 0x0, dbhandle = 0x572b40, subjectKeyID = {type = siBuffer, data =
0x586be0 "\225 D\027 \230^\203\031m6^*\005",
    len = 20}, keyIDGenerated = 0, keyUsage = 254, rawKeyUsage = 254,
keyUsagePresent = 0, nsCertType = 224, keepSession = 0,
  timeOK = 0, domainOK = 0x0, isperm = 1, istemp = 0, nickname = 0x586c68
"airlock:iischia0", dbnickname = 0x0,
  nssCertificate = 0x514fd0, trust = 0x586c80, referenceCount = 1, subjectList =
0x0, authKeyID = 0x0, isRoot = 0, authsocketlist = 0x0,
  series = 2, slot = 0x56b3d0, pkcs11ID = 10, ownSlot = 1}

His fix was to change:

nss_engine_vars.c, line 323:
    if (strcEQ(var, "M_VERSION")) {
     if (xs->version.data){
      result = apr_psprintf(p, "%lu", DER_GetInteger(&xs->version)+1);
      resdup = FALSE;
     } else {
      // version seems not to be available - ignore
     }
    }
Comment 1 Rob Crittenden 2008-01-03 21:34:17 UTC 
Created attachment 290783 [details]
See if the secitem has data in it before calling DER_GetInteger()
Comment 2 Rob Crittenden 2008-01-03 21:35:44 UTC 
Checking in nss_engine_vars.c;
/cvs/dirsec/mod_nss/nss_engine_vars.c,v  <--  nss_engine_vars.c
new revision: 1.11; previous revision: 1.10
done
Note You need to log in before you can comment on or make changes to this bug.