Firefox on Windows crashes when opening secure websocket connections through an HTTPS proxy

RESOLVED FIXED in Firefox 37

Status

()

Core
Networking: WebSockets
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: Alex Grigorovitch, Assigned: mcmanus)

Tracking

({crash, crashreportid})

35 Branch
mozilla39
x86
Windows 8
crash, crashreportid
Points:
---

Firefox Tracking Flags

(firefox36 wontfix, firefox37 fixed, firefox38 fixed, firefox39 fixed)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36

Steps to reproduce:

1. Setup a secure web proxy: that is, an HTTP proxy over a TLS connection. Assuming the proxy has been set up on proxy.example.com:443

2. Create a PAC script that looks like the following:

    function FindProxyForURL(url,host) {
      return "HTTPS proxy.example.com:443";
    }

3. Open Tools -> Options -> Advanced -> Network -> Settings. Select "Automatic proxy configuration URL" and type an URL to the PAC script you created in step 2.

4. Open Tools -> Web Developer -> Scratch pad. Paste the following code

    var ws = new WebSocket("wss://echo.websocket.org/")

and press "Run".


Actual results:

Firefox crashes reliably, producing the following crash report:

https://crash-stats.mozilla.com/report/index/f5765143-8ea1-42ef-963a-d220a2150224


Expected results:

Firefox should keep running. A websocket connection to wss://echo.websocket.org/ should be established
(Reporter)

Comment 1

3 years ago
User-agent string in the description is unrelated to the bug. The actual User-Agent string for the firefox in question is

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
(Reporter)

Updated

3 years ago
Crash Signature: mozilla::net::SocketInWrapper::AsyncWait(nsIInputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)
OS: Mac OS X → Windows 8
(Reporter)

Updated

3 years ago
Severity: normal → critical

Updated

3 years ago
Crash Signature: mozilla::net::SocketInWrapper::AsyncWait(nsIInputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*) → [@ mozilla::net::SocketInWrapper::AsyncWait(nsIInputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*) ]
QA Whiteboard: [bugday-20150302]
Component: Untriaged → Networking: WebSockets
Keywords: crash, crashreportid
Product: Firefox → Core
this will crash for me on any channel-build (even nightly), but when I build my own tree with debug options (and use the same profile) its fine.
the same smart pointer is used as both an input argument and a output argument (via getter_AddRefs()) here:

https://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpConnection.cpp#1125

it depends on the compiler optimization strategy in play, but that can result in nulling of the input argument.
Blocks: 378637
alex, thanks for filing the bug!
https://treeherder.mozilla.org/#/jobs?repo=try&revision=c7cd66f9cb74
Comment 5 is private: false
Created attachment 8574847 [details] [diff] [review]
wss inside https proxy null deref
Attachment #8574847 - Flags: review?(hurley)
Assignee: nobody → mcmanus
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8574847 - Flags: review?(hurley) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/2766bae39188

Comment 8

3 years ago
https://hg.mozilla.org/mozilla-central/rev/2766bae39188
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox39: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
status-firefox36: --- → wontfix
status-firefox37: --- → affected
status-firefox38: --- → affected
Comment on attachment 8574847 [details] [diff] [review]
wss inside https proxy null deref

Approval Request Comment
[Feature/regressing bug #]: feature 378637
[User impact if declined]: using a combination of secure proxy and secure websockets can lead to a safe crash
[Describe test coverage new/current, TreeHerder]:reproduced problem report
[Risks and why]: very small simple and safe fix
[String/UUID change made/needed]: none
Attachment #8574847 - Flags: approval-mozilla-beta?
Attachment #8574847 - Flags: approval-mozilla-aurora?
Attachment #8574847 - Flags: approval-mozilla-beta?
Attachment #8574847 - Flags: approval-mozilla-beta+
Attachment #8574847 - Flags: approval-mozilla-aurora?
Attachment #8574847 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/609b4fbc385f
status-firefox38: affected → fixed
https://hg.mozilla.org/releases/mozilla-beta/rev/b8c7154fab60
status-firefox37: affected → fixed
You need to log in before you can comment on or make changes to this bug.