1136140 - Firefox on Windows crashes when opening secure websocket connections through an HTTPS proxy

Status: RESOLVED FIXED

(Core :: Networking: WebSockets, defect)

Description

[Alex Grigorovitch]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36

Steps to reproduce:

1. Setup a secure web proxy: that is, an HTTP proxy over a TLS connection. Assuming the proxy has been set up on proxy.example.com:443

2. Create a PAC script that looks like the following:

    function FindProxyForURL(url,host) {
      return "HTTPS proxy.example.com:443";
    }

3. Open Tools -> Options -> Advanced -> Network -> Settings. Select "Automatic proxy configuration URL" and type an URL to the PAC script you created in step 2.

4. Open Tools -> Web Developer -> Scratch pad. Paste the following code

    var ws = new WebSocket("wss://echo.websocket.org/")

and press "Run".


Actual results:

Firefox crashes reliably, producing the following crash report:

https://crash-stats.mozilla.com/report/index/f5765143-8ea1-42ef-963a-d220a2150224


Expected results:

Firefox should keep running. A websocket connection to wss://echo.websocket.org/ should be established

Comment 1

[Alex Grigorovitch]

User-agent string in the description is unrelated to the bug. The actual User-Agent string for the firefox in question is

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

Comment 2

[Patrick McManus [:mcmanus]]

this will crash for me on any channel-build (even nightly), but when I build my own tree with debug options (and use the same profile) its fine.

Comment 3

[Patrick McManus [:mcmanus]]

the same smart pointer is used as both an input argument and a output argument (via getter_AddRefs()) here:

https://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpConnection.cpp#1125

it depends on the compiler optimization strategy in play, but that can result in nulling of the input argument.

Comment 4

[Patrick McManus [:mcmanus]]

alex, thanks for filing the bug!

Comment 5

[Patrick McManus [:mcmanus]]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=c7cd66f9cb74

Comment 6

[Patrick McManus [:mcmanus]]

Attachment: wss inside https proxy null deref

Comment 7

[Patrick McManus [:mcmanus]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2766bae39188

Comment 8

[Ekanan Ketunuti]

https://hg.mozilla.org/mozilla-central/rev/2766bae39188

Comment 9

[Patrick McManus [:mcmanus]]

Comment on attachment 8574847 [details] [diff] [review]
wss inside https proxy null deref

Approval Request Comment
[Feature/regressing bug #]: feature 378637
[User impact if declined]: using a combination of secure proxy and secure websockets can lead to a safe crash
[Describe test coverage new/current, TreeHerder]:reproduced problem report
[Risks and why]: very small simple and safe fix
[String/UUID change made/needed]: none

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/609b4fbc385f

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/b8c7154fab60