Closed
Bug 780104
Opened 12 years ago
Closed 12 years ago
Incorrect dictionary in SPDY response causes infinite loop
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: support, Assigned: mcmanus)
Details
(Whiteboard: [spdy])
Attachments
(1 file)
4.34 KB,
patch
|
mayhemer
:
review+
|
Details | Diff | Splinter Review |
I returned a SPDY_CONTROL_TYPE_SYN_REPLY to Firefox with a compression dictionary that did not match the SPDY spec, Firefox went into an infinite loop continually failing to set the correct dictionary. The inifinite loop occurred in FF 15 beta occurred in SpdySession2::DownstreamUncompress, SpdySession3::UncompressAndDiscard and SpdyStream3::Uncompress The same also applies to the SPDY implementations in FF 13 and FF14. The problem is code like this: do { mDownstreamZlib.next_out = trash; mDownstreamZlib.avail_out = sizeof(trash); int zlib_rv = inflate(&mDownstreamZlib, Z_NO_FLUSH); if (zlib_rv == Z_NEED_DICT) inflateSetDictionary(&mDownstreamZlib, SpdyStream3::kDictionary, sizeof(SpdyStream3::kDictionary)); if (zlib_rv == Z_DATA_ERROR || zlib_rv == Z_MEM_ERROR) return NS_ERROR_FAILURE; } while (mDownstreamZlib.avail_in); The call inflateSetDictionary fails with Z_NEED_DICT if SpdyStream3::kDictionary does not match the dictionary that was actually set in the stream. The solution is to re-attempt the inflate and break out of the loop if the dictionary is still not correct: do { mDownstreamZlib.next_out = trash; mDownstreamZlib.avail_out = sizeof(trash); int zlib_rv = inflate(&mDownstreamZlib, Z_NO_FLUSH); if (zlib_rv == Z_NEED_DICT) { inflateSetDictionary(&mDownstreamZlib, SpdyStream3::kDictionary, sizeof(SpdyStream3::kDictionary)); // Re-attemp the inflate with new dictionary to ensure correct // dictionary was set in the stream zlib_rv = inflate(&mDownstreamZlib, Z_NO_FLUSH); // Return an error rather than going into an infinite loop if ( zlib_rv == Z_NEED_DICT ) return NS_ERROR_FAILURE; } if (zlib_rv == Z_DATA_ERROR || zlib_rv == Z_MEM_ERROR) return NS_ERROR_FAILURE; } while (mDownstreamZlib.avail_in);
Updated•12 years ago
|
Component: General → Networking: HTTP
Product: Firefox → Core
Assignee | ||
Comment 2•12 years ago
|
||
Attachment #649526 -
Flags: review?(honzab.moz)
Comment 3•12 years ago
|
||
Comment on attachment 649526 [details] [diff] [review] patch 0 Review of attachment 649526 [details] [diff] [review]: ----------------------------------------------------------------- r=honzab Please just check added trailing white spaces in splinter before landing.
Attachment #649526 -
Flags: review?(honzab.moz) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d1ed1834ee75
Target Milestone: --- → mozilla17
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d1ed1834ee75
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•