Closed Bug 742614 Opened 13 years ago Closed 13 years ago

Allocation of string is not checked in WebSockets text frame parsing, which can lead to data being truncated before being returned to the application

Categories

(Core :: Networking: WebSockets, defect)

Product:
Core
Component:
Networking: WebSockets
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox14 --- fixed
firefox15 --- fixed

People

(Reporter: briansmith, Assigned: jduell.mcbugs)

References

Details

Attachments

(2 files)

v1. check allocation
1.34 KB, patch
briansmith
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Same patch w/o fallible_t for beta
1.39 KB, patch
briansmith
: review+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
See http://hg.mozilla.org/mozilla-central/annotate/ed9cbe6a817e/netwerk/protocol/websocket/WebSocketChannel.cpp#l1065 We attempt to create an nsCString of the given length, which may be VERY large (up to 2^31, AFAICT). After we create the string, we don't check the length of the string to make sure it succeeded. Consequently, when we call CallOnMessageAvailable, we may have truncated the data to "". And, CallOnMessageAvailable makes a copy of that string, and that copying has the same problem. BTW, does this mean that, once we have infallable strings (bug 737164), then any server can instantly crash Firefox with an OOM by sending a single very large text frame--i.e. a ping of death? I know that we generally accept that a server can cause us OOM accidentally or on purpose, but this seems a little too easy.
BTW, I assigned this to Patrick because I originally thought it was a security bug caused by his checkin (based on hg blame), but AFAICT it isn't directly a security bug, so I am unassigning it.
Assignee: mcmanus → nobody
Assignee: nobody → jduell.mcbugs
Thanks for noticing this. Patch uses new fallible_t String API that landed in bug 737164.
Attachment #623072 - Flags: review?(bsmith)
Attachment #623072 - Flags: review?(bsmith) → review?(mcmanus)
Comment on attachment 623072 [details] [diff] [review] v1. check allocation Review of attachment 623072 [details] [diff] [review]: ----------------------------------------------------------------- This will stop a crash.
Attachment #623072 - Flags: review?(mcmanus) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/496ea1df8876
Target Milestone: --- → mozilla16
Comment on attachment 623072 [details] [diff] [review] v1. check allocation One liner allocation check that prevents large websocket messages from crashing browser. I can port to beta too if we want, but will need different patch since this one relies on bug 737164. Let me know. [Approval Request Comment] Risk to taking this patch (and alternatives if risky): ~0% String or UUID changes made by this patch: none
Attachment #623072 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/496ea1df8876
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 623072 [details] [diff] [review] v1. check allocation [Triage comment] Looks good, feel free to nominate a patch for beta and we'll approve it.
Attachment #623072 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Just a version w/o using fallible_t, for the beta branch
Attachment #635046 - Flags: review?(bsmith)
Attachment #635046 - Flags: review?(bsmith) → review+
Comment on attachment 635046 [details] [diff] [review] Same patch w/o fallible_t for beta Beta version of patch.
Attachment #635046 - Flags: approval-mozilla-beta?
Attachment #635046 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: