Closed Bug 744126 Opened 8 years ago Closed 8 years ago

[Security Review][Action Item]Snappy Symbolic Server - Code Review

Categories

(mozilla.org :: Security Assurance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: curtisk, Assigned: dchanm+bugzilla)

References

()

Details

(Whiteboard: [Snappy:P1][secr:dchan])

OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [pending code review] → [pending code review][Snappy]
Assignee: nobody → dchan+bugzilla
Status: NEW → ASSIGNED
Whiteboard: [pending code review][Snappy] → [pending code review][Snappy:P1]
Depends on: 744925
Depends on: 744927
Depends on: 744929
:vladan :lmandel

I've finishing reviewing the code and testing the server. There wasn't much to test since the fields were validated with regexes and there is a try/catch around most of the code.

Even if a thread dies, the server continues to run. I couldn't think of a way to DOS the server. I'll close off this bug when the blockers are addressed. 

The broken pipe error may have to be addressed with timeouts or something similar. I can't imagine the lookup taking more than a couple seconds.
Crash Signature: t
Patch with all the sec-review fixes: https://github.com/vdjeric/Snappy-Symbolication-Server/commit/67705706c605984e220f69469a68b455813923f5

I worked around the broken pipe problem by adding a 10 second timeout to the read from the connection socket.

I have marked the dependency bugs resolved, please re-open if that was the wrong thing to do.
Crash Signature: t
I went through and VERIFIED that the fixes caught the exceptions. Closing out this bug.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [pending code review][Snappy:P1] → [Snappy:P1][secr:dchan]
Blocks: 753588
You need to log in before you can comment on or make changes to this bug.