The default bug view has changed. See this FAQ.

Firefox on Windows crashes when opening secure websocket connections through an HTTPS proxy

RESOLVED FIXED in Firefox 37

Status

()

Core
Networking: WebSockets
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Alex Grigorovitch, Assigned: mcmanus)

Tracking

({crash, crashreportid})

35 Branch
mozilla39
x86
Windows 8
crash, crashreportid
Points:
---

Firefox Tracking Flags

(firefox36 wontfix, firefox37 fixed, firefox38 fixed, firefox39 fixed)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36

Steps to reproduce:

1. Setup a secure web proxy: that is, an HTTP proxy over a TLS connection. Assuming the proxy has been set up on proxy.example.com:443

2. Create a PAC script that looks like the following:

    function FindProxyForURL(url,host) {
      return "HTTPS proxy.example.com:443";
    }

3. Open Tools -> Options -> Advanced -> Network -> Settings. Select "Automatic proxy configuration URL" and type an URL to the PAC script you created in step 2.

4. Open Tools -> Web Developer -> Scratch pad. Paste the following code

    var ws = new WebSocket("wss://echo.websocket.org/")

and press "Run".


Actual results:

Firefox crashes reliably, producing the following crash report:

https://crash-stats.mozilla.com/report/index/f5765143-8ea1-42ef-963a-d220a2150224


Expected results:

Firefox should keep running. A websocket connection to wss://echo.websocket.org/ should be established
(Reporter)

Comment 1

2 years ago
User-agent string in the description is unrelated to the bug. The actual User-Agent string for the firefox in question is

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
(Reporter)

Updated

2 years ago
Crash Signature: mozilla::net::SocketInWrapper::AsyncWait(nsIInputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)
OS: Mac OS X → Windows 8
(Reporter)

Updated

2 years ago
Severity: normal → critical

Updated

2 years ago
Crash Signature: mozilla::net::SocketInWrapper::AsyncWait(nsIInputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*) → [@ mozilla::net::SocketInWrapper::AsyncWait(nsIInputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*) ]
QA Whiteboard: [bugday-20150302]
Component: Untriaged → Networking: WebSockets
Keywords: crash, crashreportid
Product: Firefox → Core
(Assignee)

Comment 2

2 years ago
this will crash for me on any channel-build (even nightly), but when I build my own tree with debug options (and use the same profile) its fine.
(Assignee)

Comment 3

2 years ago
the same smart pointer is used as both an input argument and a output argument (via getter_AddRefs()) here:

https://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpConnection.cpp#1125

it depends on the compiler optimization strategy in play, but that can result in nulling of the input argument.
(Assignee)

Updated

2 years ago
Blocks: 378637
(Assignee)

Comment 4

2 years ago
alex, thanks for filing the bug!
(Assignee)

Comment 5

2 years ago
https://treeherder.mozilla.org/#/jobs?repo=try&revision=c7cd66f9cb74
(Assignee)

Updated

2 years ago
Comment 5 is private: false
(Assignee)

Comment 6

2 years ago
Created attachment 8574847 [details] [diff] [review]
wss inside https proxy null deref
Attachment #8574847 - Flags: review?(hurley)
(Assignee)

Updated

2 years ago
Assignee: nobody → mcmanus
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8574847 - Flags: review?(hurley) → review+
(Assignee)

Comment 7

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/2766bae39188

Comment 8

2 years ago
https://hg.mozilla.org/mozilla-central/rev/2766bae39188
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox39: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
(Assignee)

Updated

2 years ago
status-firefox36: --- → wontfix
status-firefox37: --- → affected
status-firefox38: --- → affected
(Assignee)

Comment 9

2 years ago
Comment on attachment 8574847 [details] [diff] [review]
wss inside https proxy null deref

Approval Request Comment
[Feature/regressing bug #]: feature 378637
[User impact if declined]: using a combination of secure proxy and secure websockets can lead to a safe crash
[Describe test coverage new/current, TreeHerder]:reproduced problem report
[Risks and why]: very small simple and safe fix
[String/UUID change made/needed]: none
Attachment #8574847 - Flags: approval-mozilla-beta?
Attachment #8574847 - Flags: approval-mozilla-aurora?
Attachment #8574847 - Flags: approval-mozilla-beta?
Attachment #8574847 - Flags: approval-mozilla-beta+
Attachment #8574847 - Flags: approval-mozilla-aurora?
Attachment #8574847 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/609b4fbc385f
status-firefox38: affected → fixed
https://hg.mozilla.org/releases/mozilla-beta/rev/b8c7154fab60
status-firefox37: affected → fixed
You need to log in before you can comment on or make changes to this bug.