Robert List wrote:
> Hallo!
>
> Sorry, my debugger isn't idiot proofed.
>
>
> The problem are at least at the functions pk11_CollectCrls and
> CERT_DecodeDERCrl.
>
>
> CERT_DecodeDERCrl returns a NULL Pointer on decoding a v2 CRL with no
> revoked certificates in it.
>
> pk11_CollectCrls:
> static SECStatus
> pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg)
> {
> SECItem derCrl;
> CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg;
> CERTCrlNode *new_node = NULL;
> CK_ATTRIBUTE fetchCrl[3] = {
> { CKA_VALUE, NULL, 0},
> { CKA_NETSCAPE_KRL, NULL, 0},
> { CKA_NETSCAPE_URL, NULL, 0},
> };
> const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
> SECStatus rv;
>
> rv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize);
> if (rv == SECFailure) {
> goto loser;
> }
> rv = SECFailure;
>
> new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena,
> sizeof(CERTCrlNode));
> if (new_node == NULL) {
> goto loser;
> }
>
> new_node->type = *((CK_BBOOL *)fetchCrl[1].pValue) ?
> SEC_KRL_TYPE : SEC_CRL_TYPE;
> derCrl.data = (unsigned char *)fetchCrl[0].pValue;
> derCrl.len = fetchCrl[0].ulValueLen;
> new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type);
> <== CERT_DecodeDERCrl returns NULL
>
> if (fetchCrl[2].pValue) {
> int nnlen = fetchCrl[2].ulValueLen;
> new_node->crl->url = (char *)PORT_ArenaAlloc(head->arena, nnlen+1);
> <== new_node->crl==NULL
>
> => Access Violation on dereferencing new_node->crl->url
Thank you for providing the detailed debug information. Now
it's obvious why we crash in pk11_CollectCrls. I opened bug
156801 (http://bugzilla.mozilla.org/show_bug.cgi?id=156801)
for this problem. This one is easy to fix.
It's not clear why CERT_DecodeDERCrl returns a NULL pointer on
decoding a v2 CRL with no revoked certificates in it. Such a
CRL should be legal, so this seems like a bug. I opened
bug 156802 (http://bugzilla.mozilla.org/show_bug.cgi?id=156802)
for this problem.
Please follow up in the bug reports.
Wan-Teh
