null-dereference crash in nr_stun_get_addrs

RESOLVED FIXED in Firefox 42

Status

()

defect
P1
normal
Rank:
15
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: dbaron, Assigned: bwc)

Tracking

({crash})

Trunk
mozilla42
Points:
---

Firefox Tracking Flags

(firefox42 fixed)

Details

(crash signature)

Attachments

(2 attachments)

I just hit a null-dereference child process crash restoring my session:

(gdb) f 6
#6  0x00007f3552126891 in stun_getifaddrs (count=0x7f35356fa3a4,
    maxaddrs=<optimized out>, addrs=0x7f35356fa3a8)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/media/mtransport/third_pa
rty/nICEr/src/stun/addrs.c:262
262         switch (if_addr->ifa_addr->sa_family) {
(gdb) p if_addr
$1 = (struct ifaddrs *) 0x7f350c003fc8
(gdb) p if_addr->ifa_addr
$2 = (struct sockaddr *) 0x0

I'm using a Linux 64-bit debug build of https://hg.mozilla.org/mozilla-central/rev/2f25351c5b05 plus local patches.
On it.
Group: core-security
I would not say this is security, although the potential for user annoyance is very high for users with an unlucky network config.
I can repro reliably by loading http://www.vox.com/2015/6/15/8782235/san-francisco-housing-crisis which I pulled out of frame #11 on the stack.
Huh. That page must be spinning up a PeerConnection by default. Wonder why.
Fix incoming.
Can you unset the sec flag so I can use reviewboard for this?
Flags: needinfo?(dbaron)
I can also repro reliably by loading:
http://www.nytimes.com/2015/06/16/world/europe/pope-francis-environmental-encyclical.html

I find it somewhat disturbing that all these pages are triggering this -- ads, maybe?


And I'm happy to unset the sec flag, although EKR set it, given that it's a null-deref.
Group: core-security
Flags: needinfo?(dbaron)
I'm a little concerned that these sites are creating PeerConnections, yes.
Bug 1180311: Add null check to ifa_addr.
Attachment #8629507 - Flags: review?(ekr)
... and also http://arstechnica.com/gadgets/2014/10/how-mobile-payments-really-work/

(I'm repeatedly restoring the session and culling the tab that crashes.)
Crash Signature: [@ nr_stun_get_addrs ]
Assignee: nobody → docfaraday
Byron -- Is this a regression or is only Nightly (Fx42) affected?  Can you set the tracking info on this bug?  Thanks.
backlog: --- → webRTC+
Rank: 15
Flags: needinfo?(docfaraday)
Priority: -- → P1
Comment on attachment 8629507 [details]
MozReview Request: Bug 1180311: Add null check to ifa_addr.

Setting review flag (see comment 11).

This only affects nightly.

Try has some unrelated pre-existing failures.
Flags: needinfo?(docfaraday)
Attachment #8629507 - Flags: review?(ekr) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/2b835d207c96
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.