1920466 - nssfuzz-dtls-server: Assertion failure: PR_FALSE, at ../../lib/ssl/ssl3gthr.c:361

Status: ASSIGNED

(NSS :: Libraries, defect, P3)

Description

[Maurice Dauer [:mdauer]]

Attachment: clusterfuzz-testcase-dtls-server-no_fuzzer_mode-6380815661989888

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/6380815661989888

Details

Debug assertion failure. The assert was added Jan 2020 in 8b7f0180c5b05870c67fcc06338749e42863c74f as part of Bug 1599514. From what I can tell, it looks like we can remove the assert as it seems to be handled just fine:

        if (contentType & 0x10) {
            PORT_Assert(PR_FALSE);
            PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
            gs->dtlsPacketOffset = 0;
            gs->dtlsPacket.len = 0;
            return -1;
        }

Reproduction

1. Download the attached testcase
2. Build NSS with ./build.sh -c --fuzz
3. Run /path/to/dist/Debug/bin/nssfuzz-dtls-server /path/to/testcase

Stack trace

Assertion failure: PR_FALSE, at ../../lib/ssl/ssl3gthr.c:361
AddressSanitizer:DEADLYSIGNAL
	=================================================================
	==13563==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000034fb (pc 0x7a6c029a400b bp 0x7ffe2f26ac70 sp 0x7ffe2f26a9f0 T0)
	SCARINESS: 10 (signal)
	    #0 0x7a6c029a400b in raise /build/glibc-LcI20x/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
	    #1 0x7a6c02983858 in abort /build/glibc-LcI20x/glibc-2.31/stdlib/abort.c:79:7
	    #2 0x5c2c1a33557b in PR_Assert nspr/pr/src/io/prlog.c:556:3
	    #3 0x5c2c19943811 in dtls_GatherData nss/lib/ssl/ssl3gthr.c:361:13
	    #4 0x5c2c19943811 in ssl3_GatherCompleteHandshake nss/lib/ssl/ssl3gthr.c:525:18
	    #5 0x5c2c1994a4ef in ssl_GatherRecord1stHandshake nss/lib/ssl/sslcon.c:73:10
	    #6 0x5c2c197f1ad8 in ssl_Do1stHandshake nss/lib/ssl/sslsecur.c:43:14
	    #7 0x5c2c197f5b5e in SSL_ForceHandshake nss/lib/ssl/sslsecur.c:431:14
	    #8 0x5c2c1975b2e2 in DoHandshake(PRFileDesc*, bool) nss/fuzz/tls_common.cc:54:10
	    #9 0x5c2c19756dfe in LLVMFuzzerTestOneInput nss/fuzz/tls_server_target.cc:168:3
	    #10 0x5c2c1a329749 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
	    #11 0x5c2c1a329545 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:0
	    #12 0x5c2c1a3290fd in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
	    #13 0x7a6c02985082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
	    #14 0x5c2c19678aed in _start

SSL Options

============= ServerConfig =============
SSL_NO_CACHE:                           1
SSL_ENABLE_EXTENDED_MASTER_SECRET:      0
SSL_REQUEST_CERTIFICATE:                1
SSL_REQUIRE_CERTIFICATE:                0
SSL_ENABLE_DEFLATE:                     1
SSL_CBC_RANDOM_IV:                      1
SSL_REQUIRE_SAFE_NEGOTIATION:           1
SSL_ENABLE_GREASE:                      0
SSL_SetCertificateCompressionAlgorithm: 0
SSL_VersionRangeSet:                    1
  Min:                                  771
  Max:                                  772
SSL_AddExternalPsk:                     1
  Type:                                 5
SSL_ENABLE_0RTT_DATA:                   1
SSL_ENABLE_ALPN:                        0
SSL_ENABLE_FALLBACK_SCSV:               0
SSL_ENABLE_SESSION_TICKETS:             0
SSL_NO_LOCKS:                           1
========================================

Comment 1

[Benjamin Beurdouche [:beurdouche]]

@Maurice, can you set a priority and severity please?

Comment 2

[Maurice Dauer [:mdauer]]

Attachment: Bug 1920466 - Remove extraneous assert in ssl3gthr.c, r?djackson,#nss-reviewers