firefox/CVE-2022-3479.patch

# HG changeset patch
# User Robert Relyea <rrelyea@redhat.com>
# Date 1670534238 28800
# Node ID a7f363511333b8062945557607691002fd6e40b9
# Parent  89a562b7cf3d3c501ee49143e0b12c7d0f330a69
Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database.

The filter functions do not handle NULL CERTCertLists, but CERT_FindUserCertsByUsage can return a NULL cert list. If it returns a NULL list, we should just
fail at the point (there are no certs available).

Differential Revision: https://phabricator.services.mozilla.com/D164273

Origin: https://hg.mozilla.org/projects/nss/rev/a7f363511333b8062945557607691002fd6e40b9

diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
--- a/security/nss/lib/ssl/authcert.c
+++ b/security/nss/lib/ssl/authcert.c
@@ -201,36 +201,36 @@ NSS_GetClientAuthData(void *arg,
 
     /* otherwise look through the cache based on usage
      * if chosenNickname is set, we ignore the expiration date */
     if (certList == NULL) {
         certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
                                              certUsageSSLClient,
                                              PR_FALSE, chosenNickName == NULL,
                                              pw_arg);
+        if (certList == NULL) {
+            return SECFailure;
+        }
         /* filter only the certs that meet the nickname requirements */
         if (chosenNickName) {
             rv = CERT_FilterCertListByNickname(certList, chosenNickName,
                                                pw_arg);
         } else {
             int nnames = 0;
             char **names = ssl_DistNamesToStrings(caNames, &nnames);
             rv = CERT_FilterCertListByCANames(certList, nnames, names,
                                               certUsageSSLClient);
             ssl_FreeDistNamesStrings(names, nnames);
         }
         if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
             CERT_DestroyCertList(certList);
-            certList = NULL;
+            return SECFailure;
         }
     }
-    if (certList == NULL) {
-        /* no user certs meeting the nickname/usage requirements found */
-        return SECFailure;
-    }
+
     /* now remove any certs that can't meet the connection requirements */
     rv = ssl_FilterClientCertListBySSLSocket(ss, certList);
     if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
         // no certs left.
         CERT_DestroyCertList(certList);
         return SECFailure;
     }