Last Comment Bug 675983 - Websockets - fail connection on 1st fragment with a continuation op code
: Websockets - fail connection on 1st fragment with a continuation op code
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Networking: WebSockets (show other bugs)
: Trunk
: x86_64 Linux
: -- normal (vote)
: mozilla8
Assigned To: Patrick McManus [:mcmanus]
:
:
Mentors:
Depends on:
Blocks: 677461 664344
  Show dependency treegraph
 
Reported: 2011-08-02 09:53 PDT by Patrick McManus [:mcmanus]
Modified: 2011-08-09 11:48 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch 1 (2.63 KB, patch)
2011-08-02 09:57 PDT, Patrick McManus [:mcmanus]
no flags Details | Diff | Splinter Review
v2: a few cleanups, same logic (4.25 KB, patch)
2011-08-05 01:56 PDT, Jason Duell [:jduell] (needinfo me)
jduell.mcbugs: review+
Details | Diff | Splinter Review

Description Patrick McManus [:mcmanus] 2011-08-02 09:53:55 PDT
https://github.com/oberstet/Autobahn test cases 3.8 3.9. and 3.14 send a frame with a continuation op-code (and the fin bit set) that isn't part of a continuation sequence. (i.e. there is no previous first-frag which would have no fin bit and a non-continuation non-control op code).

This isn't part of a valid fragment sequence, and it isn't a valid unfragmented message either. We ignore it.

Draft -10 doesn't appear to have a specific handling for this, but we close the connection on other invalid protocol sequences so I think that's the right thing to do here too as suggested in 664344.
Comment 1 Patrick McManus [:mcmanus] 2011-08-02 09:57:47 PDT
Created attachment 550113 [details] [diff] [review]
patch 1
Comment 2 Tobias Oberstein 2011-08-02 10:15:05 PDT
+1 for closing on those invalid sequences, even when draft-10 doesn't specify that. I think it should.

One remark: with case 3.14, FF does ignore only the payload of the first "continuation that doesn't continue anything":

Message send: ["sendframes",[{"opcode":0,"fin":true,"payload":"fragment1"},{"opcode":1,"fin":false,"payload":"fragment2"},{"opcode":0,"fin":true,"payload":"fragment3"},{"opcode":0,"fin":true,"payload":"fragment1"},{"opcode":1,"fin":false,"payload":"fragment2"},{"opcode":0,"fin":true,"payload":"fragment3"}]]
Message received: fragment2fragment3
Message received: fragment1
Message received: fragment2fragment3

The payload "fragment1" (of the 2nd invalid frame) _is_ popped up in JS.

Btw: depressing to watch you fix those bugs much faster than it takes me to find them;)
Comment 3 Patrick McManus [:mcmanus] 2011-08-02 10:30:31 PDT
(In reply to comment #2)

> One remark: with case 3.14, FF does ignore only the payload of the first
> "continuation that doesn't continue anything":
> 

I think this patch will fix that.. we weren't really totally ignoring the bogus frame - it just seemed that way ;) It still impacted the state.

> Btw: depressing to watch you fix those bugs much faster than it takes me to
> find them;)

your tool is a great help to firefox - I really appreciate it!

When I get to the end of your list of things I will start a build for you with all the queued (but unreviewed and uncommitted) patches in it so you can retest. What platform do you use?
Comment 4 Tobias Oberstein 2011-08-02 11:24:53 PDT
that'd be great! most of the time I'm on Win64 ..
Comment 5 Patrick McManus [:mcmanus] 2011-08-02 12:39:23 PDT
(In reply to comment #4)
> that'd be great! most of the time I'm on Win64 ..

The build directory is here - the windows build will be done in 3 or 4 hours from now:

https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/mcmanus@ducksong.com-95503e0b10d9/
Comment 6 Jason Duell [:jduell] (needinfo me) 2011-08-05 01:55:13 PDT
Comment on attachment 550113 [details] [diff] [review]
patch 1

Review of attachment 550113 [details] [diff] [review]:
-----------------------------------------------------------------

Logic OK, but I'm submitting a cleaned up version.

::: netwerk/protocol/websocket/WebSocketChannel.cpp
@@ +578,5 @@
>    mMaxMessageSize(16000000),
>    mStopOnClose(NS_OK),
>    mServerCloseCode(CLOSE_ABNORMAL),
>    mScriptCloseCode(0),
> +  mFragmentOpcode(kContinuation),

Is there any reason we store the fragment code in a PRUint8, when the spec dictates it's only 4 bits, so would fit in an unsigned char?  Or conversely, if we're going to keep it as an 8 bit value, why not initialize mFragmentOpcode to some "illegal" value, just for clarity? (I'm not doing either change in my patch: I'd lean toward using the 4-bit type: thoughts?).

Also, since we only set mFragmentOpCode once (for the first fragment), it's really the "overall message" opcode (and doesn't correspond to the current fragment's opcode).  I've renamed it mMessageType.

@@ +879,5 @@
>        if (opcode == kContinuation) {
> +
> +        // Make sure this continuation fragment isn't the first fragment
> +        if (mFragmentOpcode == kContinuation) {
> +          LOG(("WebSocketHeandler:: continuation code in first fragment\n"));

The wrong class name AND it's misspelled: for shame! :)

@@ +903,5 @@
>          payloadLength += mFragmentAccumulator;
>          avail += mFragmentAccumulator;
>          mFragmentAccumulator = 0;
>          opcode = mFragmentOpcode;
> +        mFragmentOpcode = kContinuation;

add

  // reset opcode to detect if next message illegally starts with continuation
Comment 7 Jason Duell [:jduell] (needinfo me) 2011-08-05 01:56:49 PDT
Created attachment 550974 [details] [diff] [review]
v2: a few cleanups, same logic

Let me know if you're ok with my fixes (and maybe change mMessageType to 4 bit if you think that's ok).
Comment 8 Patrick McManus [:mcmanus] 2011-08-05 06:05:51 PDT
Thanks for the updates jason. But actually, I prefer my patch in all respects except for the typo in the log message and your additional comment.

mMessageType is not correctly named. It is the opcode of an in-progress fragmented message - it does not apply to all messages.  mFragmentMessageOpcode would be acceptable to me if you insist on a change.

You also changed my log about nested fragments making it less informative imo (and shamefully left my mangled class name in it after you changed it!). That's not germane to this bug in any event.
 
I have mixed feelings on the 4 bit data type (you incur a lot of under the covers masking for no particular benefit.. there can only be 200 of these objects after all) - no reason to make it part of this bug fix in any event.
Comment 9 Jason Duell [:jduell] (needinfo me) 2011-08-08 23:46:55 PDT
http://hg.mozilla.org/integration/mozilla-inbound/rev/e47729ef7552

Scrapped my changes other than comment fixups.

Started to write test for this and other fragment msg cases, but ran into some stupid issues (python--meh), so moved to bug 677461.

Note You need to log in before you can comment on or make changes to this bug.