Closed Bug 926042 Opened 11 years ago Closed 10 years ago

Crash on overly long path during digest authentication

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
17 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla29

People

(Reporter: mbechler, Assigned: bagder)

Details

Attachments

(3 files)

firefox-backtrace.txt
3.47 KB, text/plain
Details
Test page to be put inside digest realm.
39.08 KB, text/html
Details
patch fixing this issue
927 bytes, patch
jduell.mcbugs
: review+
Details | Diff | Splinter Review
Attached file firefox-backtrace.txt 
When a resource with a overly long path (~40kb in my case) is opened inside a HTTP digest authentication realm (previously authenticated) is openened the application (here: Firefox 17.0.9 ESR, gentoo) crashes with mozalloc_abort, backtrace attached.

Test page attached, or full test case available here: http://mbechler.eenterphace.org/firefox-test.htm

Not marking for Security as this seems to be DOS only and requires previous authentication to the realm, so only minor impact is expected.
Confirmed. The test page crashes my fresh (Jan 20 2014) mozilla-central build as well.
The attached patch makes the problem go away for me.

The problem was that the path length was stored in a *signed* 16 bit variable so it wrapped over 32K which then caused the code to pass in a negative length where a positive was assumed and.... *bang*
Assignee: nobody → daniel
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8362491 - Flags: review?(jduell.mcbugs)
Comment on attachment 8362491 [details] [diff] [review]
patch fixing this issue

Review of attachment 8362491 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good!
Attachment #8362491 - Flags: review?(jduell.mcbugs) → review+
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc5112c72bba

Thanks for the patch, Daniel! One request, please make sure that future patches include commit information when requesting checkin. Makes life much easier for those landing on your behalf :)
https://developer.mozilla.org/en-US/docs/Mercurial_FAQ#How_can_I_generate_a_patch_for_somebody_else_to_check-in_for_me.3F
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/fc5112c72bba
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Keywords: verifyme
The testcase in comment 0 crashes the 01/03 mozilla-central like this: https://crash-stats.mozilla.com/report/index/4379ca97-f989-4400-ad9f-7c8f32140326.

Firefox 29.0b2 doesn't crash with the same testcase. Tested on Ubuntu 12.10 x86_x64.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: