Crash on overly long path during digest authentication

VERIFIED FIXED in mozilla29

Status

()

Core
Networking: HTTP
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: Moritz Bechler, Assigned: bagder)

Tracking

17 Branch
mozilla29
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 816219 [details]
firefox-backtrace.txt

When a resource with a overly long path (~40kb in my case) is opened inside a HTTP digest authentication realm (previously authenticated) is openened the application (here: Firefox 17.0.9 ESR, gentoo) crashes with mozalloc_abort, backtrace attached.

Test page attached, or full test case available here: http://mbechler.eenterphace.org/firefox-test.htm

Not marking for Security as this seems to be DOS only and requires previous authentication to the realm, so only minor impact is expected.
(Reporter)

Comment 1

5 years ago
Created attachment 816220 [details]
Test page to be put inside digest realm.
(Assignee)

Comment 2

4 years ago
Confirmed. The test page crashes my fresh (Jan 20 2014) mozilla-central build as well.
(Assignee)

Comment 3

4 years ago
Created attachment 8362491 [details] [diff] [review]
patch fixing this issue

The attached patch makes the problem go away for me.

The problem was that the path length was stored in a *signed* 16 bit variable so it wrapped over 32K which then caused the code to pass in a negative length where a positive was assumed and.... *bang*
Assignee: nobody → daniel
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8362491 - Flags: review?(jduell.mcbugs)
Comment on attachment 8362491 [details] [diff] [review]
patch fixing this issue

Review of attachment 8362491 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good!
Attachment #8362491 - Flags: review?(jduell.mcbugs) → review+
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc5112c72bba

Thanks for the patch, Daniel! One request, please make sure that future patches include commit information when requesting checkin. Makes life much easier for those landing on your behalf :)
https://developer.mozilla.org/en-US/docs/Mercurial_FAQ#How_can_I_generate_a_patch_for_somebody_else_to_check-in_for_me.3F
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/fc5112c72bba
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

Updated

4 years ago
Keywords: verifyme

Comment 7

4 years ago
The testcase in comment 0 crashes the 01/03 mozilla-central like this: https://crash-stats.mozilla.com/report/index/4379ca97-f989-4400-ad9f-7c8f32140326.

Firefox 29.0b2 doesn't crash with the same testcase. Tested on Ubuntu 12.10 x86_x64.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.