Closed Bug 665518 Opened 14 years ago Closed 14 years ago

Websocket Data Framing crash [@mozilla::net::nsWebSocketHandler::ApplyMask]

Categories

(Core :: Networking: WebSockets, defect)

Product:
Core
Component:
Networking: WebSockets
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla7
Tracking Flags:
Tracking Status
firefox6 + fixed
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: posidron, Assigned: mcmanus)

References

Details

(Whiteboard: [sg:critical?])

Attachments

(2 files)

callstack
2.97 KB, text/plain
Details
63 bit lengths v1
1.30 KB, patch
Biesinger
: review+
christian
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file callstack
Received connection: ('127.0.0.1', 61673) HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: x6X5fx2b1lAIM7QZxYAlCH7GW6c= Sending: b'\t\xff\xfe\x81\x05Hello'
section 4.2 says that the most-significant-bit of a 64 bit length must be 0.. (0xfe is the MSB of the length field above) and we are missing a check to enforce that.. failing to do so led to a quantity going negative and then various length checks failing.
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #540471 - Flags: review?(cbiesinger)
Attachment #540471 - Flags: review?(cbiesinger) → review+
is there a particular reason that PRInt64 payloadLength is signed ?
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/4b4280bad349
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
This should land to aurora too, right?
tracking-firefox6: --- → ?
Attachment #540471 - Flags: approval-mozilla-aurora?
for the aurora review: this bug is found as part of websockets fuzz testing as part of the security review. yea for fuzz testing!
tracking-firefox6: ?+
Comment on attachment 540471 [details] [diff] [review] 63 bit lengths v1 Approved for releases/mozilla-aurora
Attachment #540471 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
assuming worst-case sg:critical since it looks like we can overwrite heap data in ApplyMask() if we don't die reading out of bounds first.
Whiteboard: [sg:critical?]
Target Milestone: --- → mozilla7
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: