Bug 1421788 - Add a length check in nssCryptokiObject_Create to maybe prevent null pointer deref r=ttaubert

Reviewers: ttaubert Reviewed By: ttaubert Bug #: 1421788 Differential Revision: https://phabricator.services.mozilla.com/D302
author: David Keeler <dkeeler@mozilla.com> 2017-12-01 06:24:29 +0100
committer: David Keeler <dkeeler@mozilla.com> 2017-12-01 06:24:29 +0100
commit: 07ec5f898074ac09b24ec124a33d717d1ef01ab0 (patch)
tree: 78351d7d98e625f20fea28713e14ffc9350ba479 /lib/dev
parent: 0130d7ebdc3a640cbdc14f8e0a0818ef6bbd8f91 (diff)
download: nss-hg-07ec5f898074ac09b24ec124a33d717d1ef01ab0.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/dev/devutil.c b/lib/dev/devutil.c
index b8f82c810..42ce03c97 100644
--- a/lib/dev/devutil.c
+++ b/lib/dev/devutil.c
@@ -32,15 +32,21 @@ nssCryptokiObject_Create(
         /* a failure here indicates a device error */
         return (nssCryptokiObject *)NULL;
     }
+    if (cert_template[0].ulValueLen == 0) {
+        nss_ZFreeIf(cert_template[1].pValue);
+        return (nssCryptokiObject *)NULL;
+    }
     object = nss_ZNEW(NULL, nssCryptokiObject);
     if (!object) {
+        nss_ZFreeIf(cert_template[0].pValue);
+        nss_ZFreeIf(cert_template[1].pValue);
         return (nssCryptokiObject *)NULL;
     }
     object->handle = h;
     object->token = nssToken_AddRef(t);
     isTokenObject = (CK_BBOOL *)cert_template[0].pValue;
     object->isTokenObject = *isTokenObject;
-    nss_ZFreeIf(isTokenObject);
+    nss_ZFreeIf(cert_template[0].pValue);
     NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template[1], object->label);
     return object;
 }
author	David Keeler <dkeeler@mozilla.com>	2017-12-01 06:24:29 +0100
committer	David Keeler <dkeeler@mozilla.com>	2017-12-01 06:24:29 +0100
commit	07ec5f898074ac09b24ec124a33d717d1ef01ab0 (patch)
tree	78351d7d98e625f20fea28713e14ffc9350ba479 /lib/dev
parent	0130d7ebdc3a640cbdc14f8e0a0818ef6bbd8f91 (diff)
download	nss-hg-07ec5f898074ac09b24ec124a33d717d1ef01ab0.tar.gz