Closed Bug 137322 Opened 23 years ago Closed 21 years ago

URL: long strings -> crash [@ MSVCRT.DLL ]

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: cplyon, Assigned: gordon)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 1 obsolete file)

Testcase html file with long http link
1.02 KB, text/html
Details
Second shot. Bugzilla te the first one. win32 Moz Killer
1.10 KB, text/html
Details
Using build 2002041203 on WinXP. Steps to reproduce: 1. Enter a 998+ character string into the URL Bar or click an http link that long. Results: crash I admit this is an unlikely scenario, but according to the discussion in bug 56192, Mozilla should support URLs up to 2048 characters. Talkback IDs: TB5167863Z TB5167714M TB5167652W
Adding crash keyword.
Keywords: crash
can't reproduce this in 0.9.9 or trunk 2002041218 on linux
WFM trunk win32 (xp) 2002041203 - so same build, same os...
I will research this bug.
i test the long url of attachment,mozilla didn't crash,but it will hang on.
+cc: more URL help...
Summary: Extremely long URLs crash Mozilla → URL: long strings -> crash
WFM 0.9.9 linux. I don't think this could be located in core networking, there is no limit on urllength in there. Other possible locations where urls are stored: history prefs cookies Could someone take a look at these talkback IDs and publish a stacktrace or something similar here? That should give a clue.
I think this bug should be closed,because browser didn't crash.
WFM
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Still crashes for me on 2002041710 on WinXP with a clean profile. New talkback id: TB5361855Z Reopening until someone posts the talkback info or stack trace. Crashes shouldn't be dismissed so quickly :) Antonio: are you clicking the link in the attachment? What build are you using? What OS?
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
i use 2002041510 build on win2000,i click the linking in the attachment,but mozilla didn't crash,it will hang on,did you waiting for a long time before mozilla crash.
It crashes almost instantly after clicking the link. I can reproduce using Mozilla 1.0 RC1 (2002041711) on Win XP - clean install. Talkback id: TB5364189E
Crashed for me, WIN98SE, Talkback ID: TB5657688X. Using Mozilla 1.0RC1 Build: 2002041711.
*** Bug 151904 has been marked as a duplicate of this bug. ***
It'd be nice if someone looked at this. Kinda nasty, if someone wanted to be "bad". Copying Mattis' comment from Bug 151904: memset() line 108 PR_ConvertIPv4AddrToIPv6(unsigned int 0, PRIPv6Addr * 0x00000000) line 1529 + 13 bytes nsDNSLookup::HostnameIsIPAddress() line 693 + 22 bytes nsDNSLookup::InitiateLookup() line 709 + 8 bytes nsDNSLookup::EnqueueRequest(nsDNSRequest * 0x041cedb8) line 784 + 8 bytes nsDNSService::Lookup(nsDNSService * const 0x01071238, const char * 0x03f26f48, nsIDNSListener * 0x03e5121c, nsISupports * 0x00000000, nsIRequest * * 0x03e51234) line 1476 + 12 bytes nsSocketTransport::doResolveHost() line 734 + 78 bytes nsSocketTransport::Process(short 0) line 517 + 8 bytes nsSocketTransportService::ProcessWorkQ() line 306 + 10 bytes nsSocketTransportService::Run(nsSocketTransportService * const 0x010bdf3c) line 552 + 11 bytes nsThread::Main(void * 0x010bd3a0) line 120 + 26 bytes _PR_NativeRunThread(void * 0x010c6f60) line 433 + 13 bytes _threadstartex(void * 0x01015c38) line 212 + 13 bytes KERNEL32! 77e86523() -> Networking
Noting that it crashes with the latest nightlies on win32.
+neeti Lets put a sample URL into the URL field of this bug...
If I was still "there" (refer to old BA postings as race@netscape.com) I woulda done it. This is ugly. This will generate bad PR. This has been around since the first Moz-based public releases. Someone will exploit this. I'm just sayin. Adding my cheesy attachment. Adding Darin too. I'm just a QA guy. If I knew how to code, I'd be dangerous. -jim
Attached image win32 moz killer (obsolete) —
D'oh. Sorry. The above attachment will not crash your browser if you open it. You have to click on a link first. I'm being "nice". :)
Attachment #87773 - Attachment is obsolete: true
since our DNS implementation varies from platform to platform, its perhaps no surprise that this crash is only reported under windows. i'll take a look...
Assignee: new-network-bugs → darin
Severity: normal → major
Status: REOPENED → NEW
Priority: -- → P2
Target Milestone: --- → mozilla1.1beta
CONFIRMED: Chimera 0.3, while I am at it, using the example from bug 151904. +nsbeta1, all/all
Keywords: nsbeta1
OS: Windows XP → All
Hardware: PC → All
Should we bump up the priority? Reproducible crash, possible exploit....
-> DNS (gordon)
Assignee: darin → gordon
I am still experiencing this crash on 2002090708 on WinXP. Talkback id: TB10556787Z
UPDATE: Mozilla 1.1, Mac OS X and Linux. did not reproduce. Received DNS error (cannot be found).
Changing product.
Component: Networking → NSPR
Product: Browser → NSPR
Target Milestone: mozilla1.1beta → ---
Wan-Teh, shouldn't PR_StringToNetAddr() catch this and fail?
Assignee: gordon → wtc
QA Contact: benc → wtc
Gordon, PR_StringToNetAddr() probably should catch this and fail. I suggest that you work around this in your code. Two possible workarounds: 1. Check the string's length before passing it to PR_StringToNetAddr(). 2. Check the return value of BufAlloc and handle a nsnull return value as you do in nsDNSLookup::ConvertHostEntry(). #2 seems like a good thing to do anyway.
Assignee: wtc → gordon
Component: NSPR → Networking
Product: NSPR → Browser
QA Contact: wtc → benc
Okay, I'll work around it in our code, and write up a separate bug for PR_StringToNetAddr().
Status: NEW → ASSIGNED
Priority: P2 → P1
I can still reproduce this on 20021130 on WinXP upgrading to critical since this is an exploitable crasher.
Severity: major → critical
+clean-report - this needs to be targeted, unless there is further info needed.
Keywords: clean-report
re comment 28: When I have my proxy enabled (as usual) this also does not crash, only give the said DNS error. But when I switch to "directly connected to the internet" I get this crash. So maybe proxy settings make the difference. 2003012508 on Win2k.
Andreas: if I understand the problem correctly, the crash occurs in handling DNS/IP addressing. A proxy configuration does not do this, the URL is directly sent to the proxy.
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-
Still as reported using Moz 1.4: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624 Talkback ID: TB22264128M
*** Bug 216553 has been marked as a duplicate of this bug. ***
crash loading testcase, TalkbackID of latest Mozilla: TB22857576X with Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5b) Gecko/20030818
the dns rewrite eliminates the BufAlloc code, which should have the side-effect of fixing this bug.
Depends on: 205726
Summary: URL: long strings -> crash → URL: long strings -> crash [@ MSVCRT.DLL ]
As Darin said, this bug is gone. Tested with current cvs build on Win2k. Can anybody test on Linux/Mac? (I guess it makes no difference...) So this can be resolved, right?
WFM Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7a) Gecko/20040117
WFM: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 Marking resolved. -jim
Status: ASSIGNED → RESOLVED
Closed: 23 years ago21 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
No patch / checkin has been identified for having fixed the bug. ->WORKSFORME
Status: REOPENED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → WORKSFORME
Jason: > the dns rewrite eliminates the BufAlloc code, which should have > the side-effect of fixing this bug. This comes close enough, no?
That was my thought as well... Jason? It's certainly not a WFM resolution.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Okay, fair enough. Fixed by "DNS rewrite". But if anybody knows the bug number for that, please reference it here.
Status: REOPENED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
Yes, I'm an idiot. Fixed by bug 205726.
Verified, per windows users comments above. has not been a problem in mac or linux since 1.1 (see #28). BTW, fixed w/ a dependency is best way to resolve this!
Status: RESOLVED → VERIFIED
OS: All → Windows XP
Hardware: All → PC
Crash Signature: [@ MSVCRT.DLL ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: