Closed Bug 780104 Opened 12 years ago Closed 12 years ago

Incorrect dictionary in SPDY response causes infinite loop

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
15 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla17

People

(Reporter: support, Assigned: mcmanus)

Details

(Whiteboard: [spdy])

Attachments

(1 file)

patch 0
4.34 KB, patch
mayhemer
: review+
Details | Diff | Splinter Review 
I returned a SPDY_CONTROL_TYPE_SYN_REPLY to Firefox with a compression dictionary that did not match the SPDY spec,

Firefox went into an infinite loop continually failing to set the correct dictionary.

The inifinite loop occurred in FF 15 beta occurred in SpdySession2::DownstreamUncompress, SpdySession3::UncompressAndDiscard and SpdyStream3::Uncompress

The same also applies to the SPDY implementations in FF 13 and FF14.

The problem is code like this:

  do {
    mDownstreamZlib.next_out = trash;
    mDownstreamZlib.avail_out = sizeof(trash);
    int zlib_rv = inflate(&mDownstreamZlib, Z_NO_FLUSH);

    if (zlib_rv == Z_NEED_DICT)
      inflateSetDictionary(&mDownstreamZlib, SpdyStream3::kDictionary,
                           sizeof(SpdyStream3::kDictionary));

    if (zlib_rv == Z_DATA_ERROR || zlib_rv == Z_MEM_ERROR)
      return NS_ERROR_FAILURE;
  }
  while (mDownstreamZlib.avail_in);

The call inflateSetDictionary fails with Z_NEED_DICT if SpdyStream3::kDictionary does not match the dictionary that was actually set in the stream.

The solution is to re-attempt the inflate and break out of the loop if the dictionary is still not correct:

  do {
    mDownstreamZlib.next_out = trash;
    mDownstreamZlib.avail_out = sizeof(trash);
    int zlib_rv = inflate(&mDownstreamZlib, Z_NO_FLUSH);

    if (zlib_rv == Z_NEED_DICT)
	{
      inflateSetDictionary(&mDownstreamZlib, SpdyStream3::kDictionary,
                           sizeof(SpdyStream3::kDictionary));

	  // Re-attemp the inflate with new dictionary to ensure correct
	  // dictionary was set in the stream
	  zlib_rv = inflate(&mDownstreamZlib, Z_NO_FLUSH);

	  // Return an error rather than going into an infinite loop
	  if ( zlib_rv == Z_NEED_DICT )
	    return NS_ERROR_FAILURE;
	}

    if (zlib_rv == Z_DATA_ERROR || zlib_rv == Z_MEM_ERROR)
      return NS_ERROR_FAILURE;
  }
  while (mDownstreamZlib.avail_in);
Component: General → Networking: HTTP
Product: Firefox → Core
thanks
Assignee: nobody → mcmanus
Whiteboard: [spdy]
Attached patch patch 0Splinter Review 

        Attachment #649526 -
        Flags: review?(honzab.moz)

    
    

    
  
Comment on attachment 649526 [details] [diff] [review]
patch 0

Review of attachment 649526 [details] [diff] [review]:
-----------------------------------------------------------------

r=honzab

Please just check added trailing white spaces in splinter before landing.

        Attachment #649526 -
        Flags: review?(honzab.moz) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d1ed1834ee75
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: