Closed Bug 665518 Opened 13 years ago Closed 13 years ago

Websocket Data Framing crash [@mozilla::net::nsWebSocketHandler::ApplyMask]

Categories

(Core :: Networking: WebSockets, defect)

Product:
Core
Component:
Networking: WebSockets
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla7
Tracking Flags:
Tracking Status
firefox6 + fixed
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: posidron, Assigned: mcmanus)

References

Details

(Whiteboard: [sg:critical?])

Attachments

(2 files)

callstack
2.97 KB, text/plain
Details
63 bit lengths v1
1.30 KB, patch
Biesinger
: review+
christian
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file callstack 
Received connection: ('127.0.0.1', 61673)
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: x6X5fx2b1lAIM7QZxYAlCH7GW6c=


Sending: b'\t\xff\xfe\x81\x05Hello'
section 4.2 says that the most-significant-bit of a 64 bit length must be 0.. (0xfe is the MSB of the length field above) and we are missing a check to enforce that.. failing to do so led to a quantity going negative and then various length checks failing.
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED

        Attachment #540471 -
        Flags: review?(cbiesinger)

        Attachment #540471 -
        Flags: review?(cbiesinger) → review+

    
    

    
  
is there a particular reason that PRInt64 payloadLength is signed ?

    
  
Whiteboard: [inbound]

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/4b4280bad349
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]

    
    

    
  
This should land to aurora too, right?

          tracking-firefox6:
          --- → ?

    
  

        Attachment #540471 -
        Flags: approval-mozilla-aurora?

    
    

    
  
for the aurora review: this bug is found as part of websockets fuzz testing as part of the security review. yea for fuzz testing!

    
  

          tracking-firefox6:
          ?+

    
    

    
  
Comment on attachment 540471 [details] [diff] [review]
63 bit lengths v1

Approved for releases/mozilla-aurora

        Attachment #540471 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
  

          status1.9.1:
          --- → unaffected

          status1.9.2:
          --- → unaffected

    
    

    
  
assuming worst-case sg:critical since it looks like we can overwrite heap data in ApplyMask() if we don't die reading out of bounds first.
Whiteboard: [sg:critical?]
Target Milestone: --- → mozilla7
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: