Closed Bug 932496 Opened 7 years ago Closed 6 years ago

ObexBase.cpp unsafe pointer increment

Categories

(Firefox OS Graveyard :: Bluetooth, defect)

defect
Not set

Tracking

(firefox26 wontfix, firefox27 wontfix, firefox28 fixed, firefox-esr24 unaffected, b2g18 fixed, b2g-v1.1hd fixed, b2g-v1.2 fixed, b2g-v1.3 fixed, b2g-v1.3T fixed, b2g-v1.4 unaffected)

RESOLVED FIXED
1.3 Sprint 6 - 12/6
Tracking Status
firefox26 --- wontfix
firefox27 --- wontfix
firefox28 --- fixed
firefox-esr24 --- unaffected
b2g18 --- fixed
b2g-v1.1hd --- fixed
b2g-v1.2 --- fixed
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- unaffected

People

(Reporter: rfletcher, Assigned: echou)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main28+])

Attachments

(3 files, 5 obsolete files)

ObexBase.cpp defines a ParseHeaders() function that is responsible for parsing
a header. During parsing, ParseHeaders() extracts a device supplied 2-byte
contentLength from the header. Finally, ParseHeaders() increases a pointer by
that contentLength.

If ptr + contentLength > aHeaderStart + aTotalLength then [1]  will read pass
the object.

The worst case scenario appears to be a crash caused by a malicious
contentLength.

[1] http://mxr.mozilla.org/mozilla-central/source/dom/bluetooth/ObexBase.cpp#118
Hmm, should ObexBase be rewritten using nsCString as data structure.
Manual memcpy and malloc/free is error prone.
or could the bogus data be interpreted as something dangerous? I guess there's probably not much opportunity for a Bluetooth device to prep a FirefoxOS device's memory to take advantage of that
Assignee: nobody → echou
* Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
* Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
* contentLength should be uint16_t.
Attachment #8338384 - Flags: review?
Attachment #8338384 - Flags: feedback?(rfletcher)
(In reply to Eric Chou [:ericchou] [:echou] from comment #3)
> Created attachment 8338384 [details] [diff] [review]
> patch 1: v1: Add length check to prevent from memory pollusion
> 
> * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
> * Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
> * contentLength should be uint16_t.

One nits:
ClearHeader() appears to clear "all" headers. If that is the case, would it be better to name it ClearHeaders()?

Besides that, lgtm! Thanks Eric!
Comment on attachment 8338384 [details] [diff] [review]
patch 1: v1: Add length check to prevent from memory pollusion

Ahhh, newb'd this one up. Here is my response from the original bugzilla thread:
(In reply to Eric Chou [:ericchou] [:echou] from comment #3)
> Created attachment 8338384 [details] [diff] [review] [diff] [review]
> patch 1: v1: Add length check to prevent from memory pollusion
> 
> * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
> * Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
> * contentLength should be uint16_t.

One nits:
ClearHeader() appears to clear "all" headers. If that is the case, would it be better to name it ClearHeaders()?

Besides that, lgtm! Thanks Eric!
Attachment #8338384 - Flags: feedback?(rfletcher) → feedback-
(In reply to Rob Fletcher [:omerta] from comment #5)
> Comment on attachment 8338384 [details] [diff] [review]
> patch 1: v1: Add length check to prevent from memory pollusion
> 
> Ahhh, newb'd this one up. Here is my response from the original bugzilla
> thread:
> (In reply to Eric Chou [:ericchou] [:echou] from comment #3)
> > Created attachment 8338384 [details] [diff] [review]
> > patch 1: v1: Add length check to prevent from memory pollusion
> > 
> > * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
> > * Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
> > * contentLength should be uint16_t.
> 
> One nits:
> ClearHeader() appears to clear "all" headers. If that is the case, would it
> be better to name it ClearHeaders()?

You're right. Thanks!
* Updated based on Rob's comment.
Attachment #8338384 - Attachment is obsolete: true
Attachment #8338384 - Flags: review?
Attachment #8341568 - Flags: review?(gyeh)
Comment on attachment 8341568 [details] [diff] [review]
patch 1: v2: Add length check to prevent from memory pollusion

Review of attachment 8341568 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/bluetooth/ObexBase.cpp
@@ +122,5 @@
> +      MOZ_ASSERT(false);
> +      aRetHandlerSet->ClearHeaders();
> +      return;
> +    }
> +

I think that error handling in BluetoothOppManager is needed for this case.
* Updated based on Gina's comment.
Attachment #8341568 - Attachment is obsolete: true
Attachment #8341568 - Flags: review?(gyeh)
Attachment #8343569 - Flags: review?(gyeh)
Comment on attachment 8343569 [details] [diff] [review]
patch 1: v3: Add length check to prevent from memory pollusion

Review of attachment 8343569 [details] [diff] [review]:
-----------------------------------------------------------------

Great! :)
Attachment #8343569 - Flags: review?(gyeh) → review+
https://hg.mozilla.org/mozilla-central/rev/0f2650f8c995
Status: NEW → RESOLVED
Closed: 6 years ago
status-b2g18: --- → ?
status-b2g-v1.2: --- → ?
Resolution: --- → FIXED
Target Milestone: --- → 1.3 Sprint 6 - 12/6
Rob - Can you find out if this issue can reproduce on 1.2 or 1.1?
Flags: needinfo?(rfletcher)
This is present in mozilla-b2g18, mozilla-b2g18_v1_1_0_hd, and mozilla-b2g26_v1_2.

Yes, it's present in 1.2 and 1.1
Flags: needinfo?(rfletcher)
(In reply to Rob Fletcher [:omerta] from comment #14)
> This is present in mozilla-b2g18, mozilla-b2g18_v1_1_0_hd, and
> mozilla-b2g26_v1_2.
> 
> Yes, it's present in 1.2 and 1.1

Can you please nominate the for b2g26 and b2g18 uplift?
Flags: needinfo?(echou)
Attached patch patch for b2g26 (obsolete) — Splinter Review
* Patch for b2g26. Will test with this patch next Monday.
Flags: needinfo?(echou)
Attached patch patch for b2g18 (obsolete) — Splinter Review
* Patch for b2g18. Will test on Monday then request for uplift.
(In reply to Eric Chou [:ericchou] [:echou] from comment #16)
> Created attachment 8350903 [details] [diff] [review]
> patch for b2g26
> 
> * Patch for b2g26. Will test with this patch next Monday.

Verified.
Attachment #8350903 - Attachment is obsolete: true
* Updated. Final patch for b2g18.
Attachment #8350905 - Attachment is obsolete: true
Hi Bhavana,

Again, we need your help to uplift this security bug just like bug 932490. Thank you.
Flags: needinfo?(bbajaj)
Please request b2g26/b2g18 approval on the patches.
Flags: needinfo?(bbajaj)
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22)
> Please request b2g26/b2g18 approval on the patches.

To be honest I don't know what the criteria is for this kind of patch. Take bug 932543 as an example, at first I tried to nominate as koi+ in comment 24 and Jason told me to request for approval to uplift, so I did in comment 27. Then Bhavana explained why release team rather koi+'ing than using approval, so it turned out to be koi+. After that I nominate as leo+ to bug 932490 but soon I was told that 'we won't have leo triage anymore', so I ni? Bhavana again and everything looks just fine. Now I'm confused because we don't seem to have a procedure for developers to make these patches get uplifted.
Comment on attachment 8351307 [details] [diff] [review]
patch 1: final: patch for b2g26, r=gyeh

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning.
User impact if declined: no user impact. Security issue.
Testing completed: m-c and manual testing by transferring files.
Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution.
String or UUID changes made by this patch: no
Attachment #8351307 - Flags: approval-mozilla-b2g26?
Comment on attachment 8359024 [details] [diff] [review]
patch 1: final: patch for b2g18, r=gyeh

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning.
User impact if declined: no user impact. Security issue.
Testing completed: m-c and manual testing by transferring files.
Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution.
String or UUID changes made by this patch: no
Attachment #8359024 - Flags: approval-mozilla-b2g18?
(In reply to Eric Chou [:ericchou] [:echou] from comment #23)
> (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22)
> > Please request b2g26/b2g18 approval on the patches.
> 
> To be honest I don't know what the criteria is for this kind of patch.

I completely feel your pain. We (myself, Bhavana, and Preeti) had a discussion about this exact topic on Friday and requesting approval was the route we came to a consensus on. The B2G Landing page has also been updated to reflect this information. Sorry for the confusion, hopefully things are more straightforward in the future.
https://wiki.mozilla.org/Release_Management/B2G_Landing
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #26)
> (In reply to Eric Chou [:ericchou] [:echou] from comment #23)
> > (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22)
> > > Please request b2g26/b2g18 approval on the patches.
> > 
> > To be honest I don't know what the criteria is for this kind of patch.
> 
> I completely feel your pain. We (myself, Bhavana, and Preeti) had a
> discussion about this exact topic on Friday and requesting approval was the
> route we came to a consensus on. The B2G Landing page has also been updated
> to reflect this information. Sorry for the confusion, hopefully things are
> more straightforward in the future.
> https://wiki.mozilla.org/Release_Management/B2G_Landing

No problem. Thank you for clarifying that, Ryan.
FWIW, the b2g26 backport is green on Try.

The b2g18 backport is busted, however.

20:23:39     INFO -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: In member function 'bool mozilla::dom::bluetooth::BluetoothOppManager::WriteToFile(const uint8_t*, int)':
20:23:39  WARNING -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:575: warning: comparison between signed and unsigned integer expressions
20:23:39     INFO -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: In member function 'void mozilla::dom::bluetooth::BluetoothOppManager::ServerDataHandler(mozilla::ipc::UnixSocketRawData*)':
20:23:39    ERROR -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:791: error: 'ReplyError' was not declared in this scope
20:23:39    ERROR -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:804: error: 'ReplyError' was not declared in this scope
20:23:39     INFO -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: At global scope:
20:23:39    ERROR -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:1253: error: no 'void mozilla::dom::bluetooth::BluetoothOppManager::ReplyError(uint8_t)' member function declared in class 'mozilla::dom::bluetooth::BluetoothOppManager'
20:23:39     INFO -  In the directory  /builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dom/bluetooth
20:23:39     INFO -  The following command failed to execute properly:
20:23:39     INFO -  /usr/bin/ccache /builds/slave/b2g_try_emu_dep-00000000000000/build/prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-g++ -o BluetoothOppManager.o -c -fvisibility=hidden -D_IMPL_NS_LAYOUT -DMOZ_BLUETOOTH_GONK -DMOZILLA_INTERNAL_API -D_IMPL_NS_COM -DEXPORT_XPT_API -DEXPORT_XPTC_API -D_IMPL_NS_GFX -D_IMPL_NS_WIDGET -DIMPL_XREAPI -DIMPL_NS_NET -DIMPL_THEBES -DSTATIC_EXPORTABLE_JS_API -DEXCLUDE_SKIA_DEPENDENCIES -DOS_POSIX=1 -DOS_LINUX=1 -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/base -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/battery -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/encoding -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/file -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/power -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/push -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/push/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/media -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/network/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/settings -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/phonenumberutils -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/contacts -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/permission -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/alarm -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/events -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/storage -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/offline -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/geolocation -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/notification -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/workers -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/time -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/xbl/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/xul/document/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/events/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/base/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/html/content/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/html/document/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/media/webaudio -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/svg/content/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/generic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/style -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/xul/base/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/xul/base/src/tree/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/system/gonk -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/telephony -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/wifi -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/icc/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/fm -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/ipc -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/linux -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/gonk -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/ipc/chromium/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/ipc/glue -I../../ipc/ipdl/_ipdlheaders -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I. -I../../dist/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dist/include/nspr -I/builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dist/include/nss -fPIC -DANDROID -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/arch-arm/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/include/ -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/common -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/arch-arm -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/opengl/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/native/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware_legacy/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/core/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/dbus -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/bluetooth/bluez/lib -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/sensorservice -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/media/wilhelm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright/openmax -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/rtsp -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/dalvik/libnativehelper/include/nativehelper -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Wtype-limits -Wempty-body -Werror=conversion-null -Wno-ctor-dtor-privacy -Wno-overlength-strings -Wno-invalid-offsetof -Wno-variadic-macros -Wno-long-long -mandroid -fno-short-enums -fno-exceptions -Wno-psabi -DMOZ_ENABLE_JS_DUMP -include /builds/slave/b2g_try_emu_dep-00000000000000/build/gonk-misc/Unicode.h -I/builds/slave/b2g_try_emu_dep-00000000000000/build/ndk/sources/cxx-stl/stlport/stlport/ -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/stlport/stlport/ -march=armv7-a -mthumb -mfpu=vfp -mfloat-abi=softfp -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -std=gnu++0x -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fno-reorder-functions -fomit-frame-pointer -DANDROID -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/arch-arm/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/include/ -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/common -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/arch-arm -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/opengl/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/native/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware_legacy/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/core/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/dbus -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/bluetooth/bluez/lib -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/sensorservice -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/media/wilhelm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright/openmax -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/rtsp -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/dalvik/libnativehelper/include/nativehelper -DMOZILLA_CLIENT -include ../../mozilla-config.h -MD -MF .deps/BluetoothOppManager.o.pp /builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/BluetoothOppManager.cpp
20:23:39    ERROR -  make[7]: *** [BluetoothOppManager.o] Error 1
Flags: needinfo?(echou)
* Patch updated. Should fixed the bustage.

Is there any way I can run try based on a specific branch like b2g18 or b2g26 by myself to save your time?
Attachment #8359024 - Attachment is obsolete: true
Attachment #8359024 - Flags: approval-mozilla-b2g18?
Flags: needinfo?(echou)
Comment on attachment 8362358 [details] [diff] [review]
patch 1: final: patch for b2g18, r=gyeh

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning.
User impact if declined: no user impact. Security issue.
Testing completed: m-c and manual testing by transferring files.
Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution.
String or UUID changes made by this patch: no
Attachment #8362358 - Flags: approval-mozilla-b2g18?
(In reply to Eric Chou [:ericchou] [:echou] from comment #29)
> Is there any way I can run try based on a specific branch like b2g18 or
> b2g26 by myself to save your time?

You can push to Try on top of any branch. It doesn't always work well because it assumes a trunk-like config, but it generally is OK to at least say it builds.
(In reply to Eric Chou [:ericchou] [:echou] from comment #29)
> * Patch updated. Should fixed the bustage.

It does :)
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #31)
> (In reply to Eric Chou [:ericchou] [:echou] from comment #29)
> > Is there any way I can run try based on a specific branch like b2g18 or
> > b2g26 by myself to save your time?
> 
> You can push to Try on top of any branch. It doesn't always work well
> because it assumes a trunk-like config, but it generally is OK to at least
> say it builds.

Yeah, I know what it would be looked like. Thanks, Ryan.
Attachment #8362358 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
Attachment #8351307 - Flags: approval-mozilla-b2g26? → approval-mozilla-b2g26+
Whiteboard: [adv-main28+]
Does it impact also ESR24?
No, this is some kind of Bluetooth thing which doesn't affect desktop.
Group: core-security
You need to log in before you can comment on or make changes to this bug.