After fixing bug 1590001, oss-fuzz has found another issue in the TLS1.3 state machine: ``` Assertion failure: ss->firstHsDone, at ../../lib/ssl/tls13con.c:801 UndefinedBehaviorSanitizer:DEADLYSIGNAL ==1==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x000000000001 (pc 0x7f58f91fb428 bp 0x7ffd28df9e70 sp 0x7ffd28df9d08 T1) #0 0x7f58f91fb428 in gsignal /build/glibc-LK5gWL/glibc-2.23/sysdeps/unix/sysv/linux/raise.c:54 #1 0x7f58f91fd029 in abort /build/glibc-LK5gWL/glibc-2.23/stdlib/abort.c:89 #2 0x7f86ec in PR_Assert nspr/pr/src/io/prlog.c:571:5 #3 0x491c41 in tls13_HandleKeyUpdate nss/lib/ssl/tls13con.c:801:5 #4 0x4c7bb6 in ssl3_HandleHandshakeMessage nss/lib/ssl/ssl3con.c:12075:22 #5 0x4cb7a7 in ssl3_HandleHandshake nss/lib/ssl/ssl3con.c:12247:18 #6 0x4ca556 in ssl3_HandleNonApplicationData nss/lib/ssl/ssl3con.c:12766:22 #7 0x4cc53a in ssl3_HandleRecord nss/lib/ssl/ssl3con.c:13048:12 #8 0x4e5f65 in ssl3_GatherCompleteHandshake nss/lib/ssl/ssl3gthr.c:512:18 #9 0x4e917c in ssl_GatherRecord1stHandshake nss/lib/ssl/sslcon.c:73:10 #10 0x473d33 in ssl_Do1stHandshake nss/lib/ssl/sslsecur.c:41:14 ``` Test case attached. Can be reproduced with `./build.sh --fuzz --asan` and `LD_LIBRARY_PATH=../dist/Debug/lib/ ../dist/Debug/bin/nssfuzz-tls-server clusterfuzz-testcase-minimized-tls-server-no_fuzzer_mode-5673973517385728`. **Disclosure-2020-02-24** **Reported-2019-11-26**
Bug 1599545 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
oss-fuzz has found an issue in the TLS1.3 state machine: ``` Assertion failure: ss->firstHsDone, at ../../lib/ssl/tls13con.c:801 UndefinedBehaviorSanitizer:DEADLYSIGNAL ==1==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x000000000001 (pc 0x7f58f91fb428 bp 0x7ffd28df9e70 sp 0x7ffd28df9d08 T1) #0 0x7f58f91fb428 in gsignal /build/glibc-LK5gWL/glibc-2.23/sysdeps/unix/sysv/linux/raise.c:54 #1 0x7f58f91fd029 in abort /build/glibc-LK5gWL/glibc-2.23/stdlib/abort.c:89 #2 0x7f86ec in PR_Assert nspr/pr/src/io/prlog.c:571:5 #3 0x491c41 in tls13_HandleKeyUpdate nss/lib/ssl/tls13con.c:801:5 #4 0x4c7bb6 in ssl3_HandleHandshakeMessage nss/lib/ssl/ssl3con.c:12075:22 #5 0x4cb7a7 in ssl3_HandleHandshake nss/lib/ssl/ssl3con.c:12247:18 #6 0x4ca556 in ssl3_HandleNonApplicationData nss/lib/ssl/ssl3con.c:12766:22 #7 0x4cc53a in ssl3_HandleRecord nss/lib/ssl/ssl3con.c:13048:12 #8 0x4e5f65 in ssl3_GatherCompleteHandshake nss/lib/ssl/ssl3gthr.c:512:18 #9 0x4e917c in ssl_GatherRecord1stHandshake nss/lib/ssl/sslcon.c:73:10 #10 0x473d33 in ssl_Do1stHandshake nss/lib/ssl/sslsecur.c:41:14 ``` Test case attached. Can be reproduced with `./build.sh --fuzz --asan` and `LD_LIBRARY_PATH=../dist/Debug/lib/ ../dist/Debug/bin/nssfuzz-tls-server clusterfuzz-testcase-minimized-tls-server-no_fuzzer_mode-5673973517385728`. **Disclosure-2020-02-24** **Reported-2019-11-26**