Closed Bug 1320326 Opened 5 years ago Closed 5 years ago

UBSan: ssl3_ConsumeHandshakeNumber(): left shift of 14025209 by 8 places cannot be represented in type 'PRInt32'

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ttaubert, Assigned: ttaubert)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low)

Attachments

(1 file)

../../lib/ssl/ssl3con.c:4370:20: runtime error: left shift of 14025209 by 8 places cannot be represented in type 'PRInt32' (aka 'int')
    #0 0x592c78 in ssl3_ConsumeHandshakeNumber /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:4370:20
    #1 0x55de1a in tls13_HandleNewSessionTicket /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:3867:11
    #2 0x558777 in tls13_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:588:20
    #3 0x5c68b3 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11799:22
    #4 0x5d17d3 in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11985:18
    #5 0x5cd507 in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12753:22
    #6 0x616a0a in ssl3_GatherCompleteHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3gthr.c:407:18
    #7 0x61ac5b in ssl3_GatherAppDataRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3gthr.c:552:14
    #8 0x531f78 in DoRecv /home/worker/nss/out/Debug/../../lib/ssl/sslsecur.c:566:14
    #9 0x5315cb in ssl_SecureRecv /home/worker/nss/out/Debug/../../lib/ssl/sslsecur.c:870:10
    #10 0x532a2c in ssl_SecureRead /home/worker/nss/out/Debug/../../lib/ssl/sslsecur.c:879:12
    #11 0x54ce95 in ssl_Read /home/worker/nss/out/Debug/../../lib/ssl/sslsock.c:2735:10
    #12 0x7fc4e4443ad0 in PR_Read /home/worker/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c:109:9
    #13 0x4fd893 in client_fuzzing_target /home/worker/nss/out/Debug/../../fuzz/client_target.cc:354:18
    #14 0x64500b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:515:13
    #15 0x6451b7 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:469:3
    #16 0x64608d in fuzzer::Fuzzer::MutateAndTestOne() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:701:30
    #17 0x646347 in fuzzer::Fuzzer::Loop() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:734:5
    #18 0x639e3a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:525:6
    #19 0x51be68 in main /home/worker/nss/out/Debug/../../fuzz/nssfuzz.cc:147:10
    #20 0x7fc4e4f9b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x42f398 in _start (/home/worker/dist/Debug/bin/nssfuzz+0x42f398)

SUMMARY: AddressSanitizer: undefined-behavior ../../lib/ssl/ssl3con.c:4370:20 in
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
https://hg.mozilla.org/projects/nss/rev/e2fc4c464d50
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.29
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.