roytam1/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 05:46:58 +00:00
Code Issues Projects Releases Wiki Activity

Bug 2029771 - Heap use-after-free in [@ token_destructor] reading tok->pk11slot after nssToken_Destroy frees the token arena.

Browse Source
This commit is contained in:
John Schanck
2026-05-24 15:07:24 +02:00
committed by roytam1
parent 6511833580
commit 57bef0265c
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
security/nss/lib/pki/trustdomain.c
+9 -5
View File
@@ -61,11 +61,15 @@ static void
token_destructor(void *t)
{
NSSToken *tok = (NSSToken *)t;
/* The token holds the first/last reference to the slot.
* When the token is actually destroyed (ref count == 0),
* the slot will also be destroyed.
*/
nssToken_Destroy(tok);
/* Signal that the slot should not give out any more references to the
* token. Do this first, while |tok| (and its reference to the slot) is
* still alive: the list may hold the last reference, in which case
* nssToken_Destroy() below frees the arena that contains |tok|. */
PK11Slot_SetNSSToken(tok->pk11slot, NULL);
/* Remove the token list's reference to the token */
(void)nssToken_Destroy(tok);
}
NSS_IMPLEMENT PRStatus