Closed Bug 926042 Opened 6 years ago Closed 6 years ago

Crash on overly long path during digest authentication

Categories

(Core :: Networking: HTTP, defect)

17 Branch
x86_64
Linux
defect
Not set

Tracking

()

VERIFIED FIXED
mozilla29

People

(Reporter: mbechler, Assigned: bagder)

Details

Attachments

(3 files)

Attached file firefox-backtrace.txt
When a resource with a overly long path (~40kb in my case) is opened inside a HTTP digest authentication realm (previously authenticated) is openened the application (here: Firefox 17.0.9 ESR, gentoo) crashes with mozalloc_abort, backtrace attached.

Test page attached, or full test case available here: http://mbechler.eenterphace.org/firefox-test.htm

Not marking for Security as this seems to be DOS only and requires previous authentication to the realm, so only minor impact is expected.
Confirmed. The test page crashes my fresh (Jan 20 2014) mozilla-central build as well.
The attached patch makes the problem go away for me.

The problem was that the path length was stored in a *signed* 16 bit variable so it wrapped over 32K which then caused the code to pass in a negative length where a positive was assumed and.... *bang*
Assignee: nobody → daniel
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8362491 - Flags: review?(jduell.mcbugs)
Comment on attachment 8362491 [details] [diff] [review]
patch fixing this issue

Review of attachment 8362491 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good!
Attachment #8362491 - Flags: review?(jduell.mcbugs) → review+
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc5112c72bba

Thanks for the patch, Daniel! One request, please make sure that future patches include commit information when requesting checkin. Makes life much easier for those landing on your behalf :)
https://developer.mozilla.org/en-US/docs/Mercurial_FAQ#How_can_I_generate_a_patch_for_somebody_else_to_check-in_for_me.3F
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/fc5112c72bba
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Keywords: verifyme
The testcase in comment 0 crashes the 01/03 mozilla-central like this: https://crash-stats.mozilla.com/report/index/4379ca97-f989-4400-ad9f-7c8f32140326.

Firefox 29.0b2 doesn't crash with the same testcase. Tested on Ubuntu 12.10 x86_x64.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.