Closed Bug 665518 Opened 9 years ago Closed 9 years ago

Websocket Data Framing crash [@mozilla::net::nsWebSocketHandler::ApplyMask]

Categories

(Core :: Networking: WebSockets, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla7
Tracking Status
firefox6 + fixed
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: posidron, Assigned: mcmanus)

References

Details

(Whiteboard: [sg:critical?])

Attachments

(2 files)

Attached file callstack
Received connection: ('127.0.0.1', 61673)
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: x6X5fx2b1lAIM7QZxYAlCH7GW6c=


Sending: b'\t\xff\xfe\x81\x05Hello'
Duplicate of this bug: 665536
section 4.2 says that the most-significant-bit of a 64 bit length must be 0.. (0xfe is the MSB of the length field above) and we are missing a check to enforce that.. failing to do so led to a quantity going negative and then various length checks failing.
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #540471 - Flags: review?(cbiesinger)
Attachment #540471 - Flags: review?(cbiesinger) → review+
is there a particular reason that PRInt64 payloadLength is signed ?
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/4b4280bad349
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
This should land to aurora too, right?
Attachment #540471 - Flags: approval-mozilla-aurora?
for the aurora review: this bug is found as part of websockets fuzz testing as part of the security review. yea for fuzz testing!
Comment on attachment 540471 [details] [diff] [review]
63 bit lengths v1

Approved for releases/mozilla-aurora
Attachment #540471 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
assuming worst-case sg:critical since it looks like we can overwrite heap data in ApplyMask() if we don't die reading out of bounds first.
Whiteboard: [sg:critical?]
Target Milestone: --- → mozilla7
Group: core-security
You need to log in before you can comment on or make changes to this bug.