Closed
Bug 792068
Opened 12 years ago
Closed 12 years ago
WebRTC crash [@sctp_getopt]
Categories
(Core :: WebRTC: Signaling, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | + | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: posidron, Assigned: jesup)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [WebRTC][asan][blocking-webrtc+][qa-][adv-main18-])
Attachments
(3 files)
!!! Real PeerConnection constructor called OMG !!!
!!! {8b584e18-86b7-4449-bc22-0e93235ba802} : calling initialize
!!! Queue for {8b584e18-86b7-4449-bc22-0e93235ba802} is currently: []
!!! Queue for {8b584e18-86b7-4449-bc22-0e93235ba802} is currently: []
!!! mozPeerConnection constructor called [object Window @ 0x144746b80 (native @ 0x10426ed00)]
!!! {8b584e18-86b7-4449-bc22-0e93235ba802} : setRemoteDescription called
!!! {8b584e18-86b7-4449-bc22-0e93235ba802} : queued setRemoteDescription
!!! Queue for {8b584e18-86b7-4449-bc22-0e93235ba802} is currently: [setRemoteDescription,]
!!! {8b584e18-86b7-4449-bc22-0e93235ba802} : setRemoteDescription returned
!!! {8b584e18-86b7-4449-bc22-0e93235ba802} : listen() called
PeerConnectionImpl::Listen()
|
Reporter | |
Comment 1•12 years ago
|
||
|
Assignee | |
Comment 2•12 years ago
|
||
32/64 bit type-punning problem (casting a socklen_t * into a size_t *)
user_socket.c 2282
|
|
Reporter | |
Updated•12 years ago
|
Blocks: fuzzing-webrtc
|
|
Assignee | |
Comment 3•12 years ago
|
||
|
|
Assignee | |
Comment 4•12 years ago
|
||
Comment on attachment 662262 [details] [diff] [review]
Change cast
I'll fix the tabs...
Attachment #662262 -
Flags: review?(ekr)
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC][asan] → [WebRTC][asan][blocking-webrtc+]
|
||
Updated•12 years ago
|
Assignee: nobody → rjesup
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
status-firefox18:
--- → affected
tracking-firefox18:
--- → +
|
||
Comment 5•12 years ago
|
||
Comment on attachment 662262 [details] [diff] [review]
Change cast
Review of attachment 662262 [details] [diff] [review]:
-----------------------------------------------------------------
::: netwerk/sctp/src/user_socket.c
@@ +2278,5 @@
> errno = EINVAL;
> return (-1);
> }
> case IPPROTO_SCTP:
> + size_t len = *option_len; /* sizeof(size_t) !+ sizeof(socklen_t) (on 64 bit) */
Do you really want to do a mid-function variable declaration in C? I tend to move it to the top, even though it is now legal.
Attachment #662262 -
Flags: review?(ekr) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
I actually wrapped it in {}'s after I uploaded the patch out of paranoia. Also, I noted it's an in-out parameter. This will get fixed by upstream, but until then I'll take this patch. (i'll check the SCTP repo first though)
|
|
Assignee | |
Comment 7•12 years ago
|
||
It is fixed upstream (I fed them the patch as well), checking if it's a good time to pull.
|
|
Assignee | |
Comment 8•12 years ago
|
||
Upstream fix imported:
https://hg.mozilla.org/projects/alder/rev/c566634f51c6
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC][asan][blocking-webrtc+] → [WebRTC][asan][blocking-webrtc+][qa-]
|
|
Assignee | |
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Flags: in-testsuite?
|
|
||
Updated•12 years ago
|
Flags: in-testsuite?
|
|
||
Updated•12 years ago
|
Flags: in-testsuite?
|
|
Assignee | |
Comment 9•12 years ago
|
||
This is not a useful candidate for a testcase IMHO
Flags: in-testsuite? → in-testsuite-
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC][asan][blocking-webrtc+][qa-] → [WebRTC][asan][blocking-webrtc+][qa-][adv-main18-]
|
|
||
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•