Closed
Bug 838380
Opened 13 years ago
Closed 12 years ago
WebRTC STUN crash [@nr_stun_form_error_response]
Categories
(Core :: WebRTC: Networking, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: posidron, Assigned: jesup)
References
Details
(Keywords: crash, Whiteboard: [WebRTC],[blocking-webrtc+][qa-])
Crash Data
Attachments
(1 file)
|
1.30 KB,
patch
|
abr
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This crash occurred while fuzzing STUN responses.
465 res->header.type = NR_STUN_TYPE(request_method, NR_CLASS_ERROR_RESPONSE);
466 res->header.magic_cookie = req->header.magic_cookie;
467 memcpy(&res->header.id, &req->header.id, sizeof(res->header.id));
468
469 /* during development we should never see 500s (hopefully not in deployment either) */
470 assert(number != 500);
'\x01\x01\x00\\\xc5\xcbN\x1d\xc7\xbb\x9c\xf8[\x08_\x10\x13T\xc5(\x00\x01\x00\x08\x00\x01\xd4\x8eM\t\x1b\xfb\x00\x04\x00\x08\x00\x01\r\x96\x17\x15\x96y\x00\x05\x00\x08\x00\x01\r\x97\x00\x00\x00\x00\x80 \x00\x08\x00\x01\x11E\x88\xc2U\xe6\x80"\x00(Vovida.org 0.96 mozilla.org 6svc.amzn1 \x00'
Tested with m-i changeset: 120856:66efdc5f9355
|
||
Updated•13 years ago
|
Crash Signature: [@ nr_stun_form_error_response]
|
Assignee | |
Updated•13 years ago
|
Assignee: nobody → ekr
Whiteboard: [WebRTC],[blocking-webrtc+]
|
||
Updated•12 years ago
|
Assignee: ekr → adam
|
||
Updated•12 years ago
|
Priority: -- → P3
|
|
Assignee | |
Comment 1•12 years ago
|
||
Pretty obvious...
|
|
Assignee | |
Comment 2•12 years ago
|
||
Comment on attachment 734081 [details] [diff] [review]
don't crash browser on server 500 error
calls with possible 500 sources are in media/mtransport/third_party/nICEr/src/stun/stun_server_ctx.c
Either if the error is 0, or if the server returned error 500.
dmose: If you don't feel comfortable reviewing this, reassign to ekr (or abr can look on monday).
Attachment #734081 -
Flags: review?(dmose)
|
||
Comment 3•12 years ago
|
||
Removing asserts based on the receipt of data that could quite possible happen in the wild is a great plan.
A lot of times, though, when people write asserts like that, it's an indicator that the error-handling that follows the assert hasn't been thought out or is even known to be wrong. I don't have time to read the code and convince myself that the error handling is sane, so I'm gonna pass back to ekr.
|
|
||
Updated•12 years ago
|
Attachment #734081 -
Flags: review?(dmose) → review?(ekr)
|
|
Assignee | |
Updated•12 years ago
|
Assignee: adam → rjesup
|
|
Assignee | |
Comment 4•12 years ago
|
||
Comment on attachment 734081 [details] [diff] [review]
don't crash browser on server 500 error
ekr is busy this week; revectoring to abr
Attachment #734081 -
Flags: review?(ekr) → review?(adam)
|
|
||
Comment 5•12 years ago
|
||
Comment on attachment 734081 [details] [diff] [review]
don't crash browser on server 500 error
Review of attachment 734081 [details] [diff] [review]:
-----------------------------------------------------------------
r+ with the additional noted change.
::: media/mtransport/third_party/nICEr/src/stun/stun_build.c
@@ -474,5 @@
> case 300: str = "Try Alternate"; break;
> case 400: str = "Bad Request"; break;
> case 401: str = "Unauthorized"; break;
> case 420: str = "Unknown Attribute"; break;
> case 438: str = "Stale Nonce"; break;
Seven lines below this is an assert(0) that will fire if you get a response code that isn't in this switch statement. You'll want to remove it as well, since we don't want (e.g.) a server that returns "501" to trigger an assert either.
Attachment #734081 -
Flags: review?(adam) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
status-firefox21:
--- → disabled
status-firefox22:
--- → affected
status-firefox23:
--- → affected
Whiteboard: [WebRTC],[blocking-webrtc+] → [WebRTC],[blocking-webrtc+][webrtc-uplift]
Target Milestone: --- → mozilla22
|
||
Comment 7•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Flags: in-testsuite-
Whiteboard: [WebRTC],[blocking-webrtc+][webrtc-uplift] → [WebRTC],[blocking-webrtc+][webrtc-uplift][qa-]
|
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 8•12 years ago
|
||
Comment on attachment 734081 [details] [diff] [review]
don't crash browser on server 500 error
[Approval Request Comment]
Bug caused by (feature/regressing bug #): N/A
User impact if declined: Browser will assert/crash on a 500 server error from STUN server
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky): nil - removes an unwanted assert; the code handles errors already.
String or IDL/UUID changes made by this patch: none
Attachment #734081 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Attachment #734081 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Updated•12 years ago
|
tracking-firefox22:
--- → +
|
|
Assignee | |
Comment 9•12 years ago
|
||
Whiteboard: [WebRTC],[blocking-webrtc+][webrtc-uplift][qa-] → [WebRTC],[blocking-webrtc+][qa-]
|
|
||
Comment 10•12 years ago
|
||
The m-c version where it landed is 23.
Target Milestone: mozilla22 → mozilla23
|
|
Assignee | |
Comment 11•12 years ago
|
||
Sorry, I thought Target Milestone was supposed to reflect the earliest Milestone it's fixed in. If not, I can go back and update all the Aurora patches I just landed.
You need to log in
before you can comment on or make changes to this bug.
Description
•