spdy hdr decompress context screwed up by server push

RESOLVED FIXED in Firefox 12

Status

()

Core
Networking: HTTP
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: mcmanus, Assigned: mcmanus)

Tracking

Trunk
mozilla12
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox10 unaffected, firefox11 affected, firefox12 fixed)

Details

(Whiteboard: [qa?])

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
node-spdy is the first backend to implement server push. right now we rst any pushed streams, but we need to decompress the headers in those push frames so that the decompress context stays in sync with the sender. confirmed that interop continues with the patch attached to this bug.
(Assignee)

Comment 1

6 years ago
Created attachment 588668 [details] [diff] [review]
patch 0

Hi honza, this is an interop issue so I'd like to expedite it to whatever extent possible.. might even nom for aurora.
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #588668 - Flags: review?(honzab.moz)

Comment 2

6 years ago
Btw, supporting push streams would be cool feature too :)
(Assignee)

Comment 3

6 years ago
(In reply to Fedor Indutny from comment #2)
> Btw, supporting push streams would be cool feature too :)

yes - just a few things to sort out to make sure there isn't room for cache poisoning attacks and so on..
Comment on attachment 588668 [details] [diff] [review]
patch 0

Review of attachment 588668 [details] [diff] [review]:
-----------------------------------------------------------------

Ups.. I didn't catch this even during the review (almost done by this time, btw).

r=honzab

For channel drivers: this is patch for a bug in a feature that is by default pref'ed off but people out there are testing it by manually pref'ing it on (including my self).  So it would be helpful and harmless to land it on aurora as well.

::: netwerk/protocol/http/SpdySession.cpp
@@ +776,5 @@
>  {
>    NS_ABORT_IF_FALSE(self->mFrameControlType == CONTROL_TYPE_SYN_STREAM,
>                      "wrong control type");
>    
> +  if (self->mFrameDataSize < 18) {

Hmm.. a bug in the spec apparently.
Attachment #588668 - Flags: review?(honzab.moz)
Attachment #588668 - Flags: review+
Attachment #588668 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 5

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/59cb54c6dfe1
status-firefox10: --- → unaffected
status-firefox11: --- → affected
status-firefox12: --- → fixed
https://hg.mozilla.org/mozilla-central/rev/59cb54c6dfe1
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Version: 11 Branch → Trunk

Updated

6 years ago
Target Milestone: --- → mozilla12

Updated

6 years ago
Attachment #588668 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Is this something QA can verify?
Whiteboard: [qa?]
You need to log in before you can comment on or make changes to this bug.