1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
Description: CVE-2024-0743 potiential crash due to interger underflow.
Origin: https://hg.mozilla.org/projects/nss/rev/1bda168c0da97e19e5f14bc4227c15c0a9f493b
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1867408 (not public)
Bug: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0743
# HG changeset patch
# User John Schanck <jschanck@mozilla.com>
# Date 1702322654 0
# Node ID 1bda168c0da97e19e5f14bc4227c15c0a9f493bf
# Parent e934c6d1d4366d152e3307cb76af4c02667c9147
Bug 1867408 - add a defensive check for large ssl_DefSend return values. r=nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D195054
@@ -458,7 +458,12 @@
if (rv < 0) {
return rv;
}
- ss->pendingBuf.len -= rv;
+ if (rv > ss->pendingBuf.len) {
+ PORT_Assert(0); /* This shouldn't happen */
+ ss->pendingBuf.len = 0;
+ } else {
+ ss->pendingBuf.len -= rv;
+ }
if (ss->pendingBuf.len > 0 && rv > 0) {
/* UGH !! This shifts the whole buffer down by copying it */
PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv,
|
