UndefinedBehaviorSanitizer: netwerk/protocol/http/nsHttpConnection.cpp:710:10: runtime error: load of value 3, which is not a valid value for type 'bool'
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | wontfix |
firefox69 | --- | wontfix |
firefox70 | --- | wontfix |
firefox71 | --- | fixed |
People
(Reporter: decoder, Assigned: decoder)
References
(Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(3 files)
The attached testcase crashes on mozilla-central revision 3bfc0e27d038 (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).
For detailed crash information, see attachment.
To reproduce the issue, perform the following steps:
- Download the attached testcase, save as "test.bin".
2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using./mach gtest dontruntests
).
2b. Alternatively you can download builds from TC usingpython -mfuzzfetch -a --fuzzing --tests gtest
(see https://github.com/MozillaSecurity/fuzzfetch). - Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2ProxyHttp2 objdir/dist/bin/firefox test.bin
Assignee | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
Not s-s, I already investigated it and have a patch.
The problem is this code in nsHttpConnection
:
mSocketTransport->GetEsniUsed(&esni);
Telemetry::Accumulate(
Telemetry::ESNI_NOESNI_TLS_SUCCESS_RATE,
(esni) ? ((handshakeSucceeded) ? ESNI_SUCCESSFUL : ESNI_FAILED)
: ((handshakeSucceeded) ? NO_ESNI_SUCCESSFUL : NO_ESNI_FAILED));
which ignores the return value of GetEsniUsed
. In the HTTP2 over HTTP2 proxy case, this method is implemented in TunnelUtils.cpp
and returns NS_ERROR_NOT_IMPLEMENTED
, so this code is reading uninitialized memory for the esni
variable.
The only impact this probably has is that the data for Telemetry::ESNI_NOESNI_TLS_SUCCESS_RATE
is probably bogus now in cases where an HTTP2 proxy is used.
Assignee | ||
Comment 4•5 years ago
|
||
Comment 6•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•3 years ago
|
Description
•