932496 - ObexBase.cpp unsafe pointer increment

Status: RESOLVED FIXED

(Firefox OS Graveyard :: Bluetooth, defect)

Description

[Rob Fletcher [:omerta]]

ObexBase.cpp defines a ParseHeaders() function that is responsible for parsing
a header. During parsing, ParseHeaders() extracts a device supplied 2-byte
contentLength from the header. Finally, ParseHeaders() increases a pointer by
that contentLength.

If ptr + contentLength > aHeaderStart + aTotalLength then [1]  will read pass
the object.

The worst case scenario appears to be a crash caused by a malicious
contentLength.

[1] http://mxr.mozilla.org/mozilla-central/source/dom/bluetooth/ObexBase.cpp#118

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

Hmm, should ObexBase be rewritten using nsCString as data structure.
Manual memcpy and malloc/free is error prone.

Comment 2

[Daniel Veditz [:dveditz]]

or could the bogus data be interpreted as something dangerous? I guess there's probably not much opportunity for a Bluetooth device to prep a FirefoxOS device's memory to take advantage of that

Comment 3

[Eric Chou [:ericchou] [:echou]]

Attachment: patch 1: v1: Add length check to prevent from memory pollusion

* Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
* Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
* contentLength should be uint16_t.

Comment 4

[Rob Fletcher [:omerta]]

(In reply to Eric Chou [:ericchou] [:echou] from comment #3)
> Created attachment 8338384 [details] [diff] [review]
> patch 1: v1: Add length check to prevent from memory pollusion
> 
> * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
> * Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
> * contentLength should be uint16_t.

One nits:
ClearHeader() appears to clear "all" headers. If that is the case, would it be better to name it ClearHeaders()?

Besides that, lgtm! Thanks Eric!

Comment 5

[Rob Fletcher [:omerta]]

Comment on attachment 8338384 [details] [diff] [review]
patch 1: v1: Add length check to prevent from memory pollusion

Ahhh, newb'd this one up. Here is my response from the original bugzilla thread:
(In reply to Eric Chou [:ericchou] [:echou] from comment #3)
> Created attachment 8338384 [details] [diff] [review] [diff] [review]
> patch 1: v1: Add length check to prevent from memory pollusion
> 
> * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
> * Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
> * contentLength should be uint16_t.

One nits:
ClearHeader() appears to clear "all" headers. If that is the case, would it be better to name it ClearHeaders()?

Besides that, lgtm! Thanks Eric!

Comment 6

[Eric Chou [:ericchou] [:echou]]

(In reply to Rob Fletcher [:omerta] from comment #5)
> Comment on attachment 8338384 [details] [diff] [review]
> patch 1: v1: Add length check to prevent from memory pollusion
> 
> Ahhh, newb'd this one up. Here is my response from the original bugzilla
> thread:
> (In reply to Eric Chou [:ericchou] [:echou] from comment #3)
> > Created attachment 8338384 [details] [diff] [review]
> > patch 1: v1: Add length check to prevent from memory pollusion
> > 
> > * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength'
> > * Add a new function ObexHeaderSet::ClearHeader() to empty the header set.
> > * contentLength should be uint16_t.
> 
> One nits:
> ClearHeader() appears to clear "all" headers. If that is the case, would it
> be better to name it ClearHeaders()?

You're right. Thanks!

Comment 7

[Eric Chou [:ericchou] [:echou]]

Attachment: patch 1: v2: Add length check to prevent from memory pollusion

* Updated based on Rob's comment.

Comment 8

[Gina Yeh [:gyeh] [:ginayeh]]

Comment on attachment 8341568 [details] [diff] [review]
patch 1: v2: Add length check to prevent from memory pollusion

Review of attachment 8341568 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/bluetooth/ObexBase.cpp
@@ +122,5 @@
> +      MOZ_ASSERT(false);
> +      aRetHandlerSet->ClearHeaders();
> +      return;
> +    }
> +

I think that error handling in BluetoothOppManager is needed for this case.

Comment 9

[Eric Chou [:ericchou] [:echou]]

Attachment: patch 1: v3: Add length check to prevent from memory pollusion

* Updated based on Gina's comment.

Comment 10

[Gina Yeh [:gyeh] [:ginayeh]]

Comment on attachment 8343569 [details] [diff] [review]
patch 1: v3: Add length check to prevent from memory pollusion

Review of attachment 8343569 [details] [diff] [review]:
-----------------------------------------------------------------

Great! :)

Comment 11

[Eric Chou [:ericchou] [:echou]]

https://hg.mozilla.org/integration/b2g-inbound/rev/0f2650f8c995

Thanks!

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/0f2650f8c995

Comment 13

[Jason Smith [:jsmith]]

Rob - Can you find out if this issue can reproduce on 1.2 or 1.1?

Comment 14

[Rob Fletcher [:omerta]]

This is present in mozilla-b2g18, mozilla-b2g18_v1_1_0_hd, and mozilla-b2g26_v1_2.

Yes, it's present in 1.2 and 1.1

Comment 15

[Ryan VanderMeulen [:RyanVM]]

(In reply to Rob Fletcher [:omerta] from comment #14)
> This is present in mozilla-b2g18, mozilla-b2g18_v1_1_0_hd, and
> mozilla-b2g26_v1_2.
> 
> Yes, it's present in 1.2 and 1.1

Can you please nominate the for b2g26 and b2g18 uplift?

Comment 16

[Eric Chou [:ericchou] [:echou]]

Attachment: patch for b2g26

* Patch for b2g26. Will test with this patch next Monday.

Comment 17

[Eric Chou [:ericchou] [:echou]]

Attachment: patch for b2g18

* Patch for b2g18. Will test on Monday then request for uplift.

Comment 18

[Eric Chou [:ericchou] [:echou]]

(In reply to Eric Chou [:ericchou] [:echou] from comment #16)
> Created attachment 8350903 [details] [diff] [review]
> patch for b2g26
> 
> * Patch for b2g26. Will test with this patch next Monday.

Verified.

Comment 19

[Eric Chou [:ericchou] [:echou]]

Attachment: patch 1: final: patch for b2g26, r=gyeh

Comment 20

[Eric Chou [:ericchou] [:echou]]

Attachment: patch 1: final: patch for b2g18, r=gyeh

* Updated. Final patch for b2g18.

Comment 21

[Eric Chou [:ericchou] [:echou]]

Hi Bhavana,

Again, we need your help to uplift this security bug just like bug 932490. Thank you.

Comment 22

[Ryan VanderMeulen [:RyanVM]]

Please request b2g26/b2g18 approval on the patches.

Comment 23

[Eric Chou [:ericchou] [:echou]]

(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22)
> Please request b2g26/b2g18 approval on the patches.

To be honest I don't know what the criteria is for this kind of patch. Take bug 932543 as an example, at first I tried to nominate as koi+ in comment 24 and Jason told me to request for approval to uplift, so I did in comment 27. Then Bhavana explained why release team rather koi+'ing than using approval, so it turned out to be koi+. After that I nominate as leo+ to bug 932490 but soon I was told that 'we won't have leo triage anymore', so I ni? Bhavana again and everything looks just fine. Now I'm confused because we don't seem to have a procedure for developers to make these patches get uplifted.

Comment 24

[Eric Chou [:ericchou] [:echou]]

Comment on attachment 8351307 [details] [diff] [review]
patch 1: final: patch for b2g26, r=gyeh

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning.
User impact if declined: no user impact. Security issue.
Testing completed: m-c and manual testing by transferring files.
Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution.
String or UUID changes made by this patch: no

Comment 25

[Eric Chou [:ericchou] [:echou]]

Comment on attachment 8359024 [details] [diff] [review]
patch 1: final: patch for b2g18, r=gyeh

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning.
User impact if declined: no user impact. Security issue.
Testing completed: m-c and manual testing by transferring files.
Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution.
String or UUID changes made by this patch: no

Comment 26

[Ryan VanderMeulen [:RyanVM]]

(In reply to Eric Chou [:ericchou] [:echou] from comment #23)
> (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22)
> > Please request b2g26/b2g18 approval on the patches.
> 
> To be honest I don't know what the criteria is for this kind of patch.

I completely feel your pain. We (myself, Bhavana, and Preeti) had a discussion about this exact topic on Friday and requesting approval was the route we came to a consensus on. The B2G Landing page has also been updated to reflect this information. Sorry for the confusion, hopefully things are more straightforward in the future.
https://wiki.mozilla.org/Release_Management/B2G_Landing

Comment 27

[Eric Chou [:ericchou] [:echou]]

(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #26)
> (In reply to Eric Chou [:ericchou] [:echou] from comment #23)
> > (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22)
> > > Please request b2g26/b2g18 approval on the patches.
> > 
> > To be honest I don't know what the criteria is for this kind of patch.
> 
> I completely feel your pain. We (myself, Bhavana, and Preeti) had a
> discussion about this exact topic on Friday and requesting approval was the
> route we came to a consensus on. The B2G Landing page has also been updated
> to reflect this information. Sorry for the confusion, hopefully things are
> more straightforward in the future.
> https://wiki.mozilla.org/Release_Management/B2G_Landing

No problem. Thank you for clarifying that, Ryan.

Comment 28

[Ryan VanderMeulen [:RyanVM]]

FWIW, the b2g26 backport is green on Try.

The b2g18 backport is busted, however.

20:23:39     INFO -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: In member function 'bool mozilla::dom::bluetooth::BluetoothOppManager::WriteToFile(const uint8_t*, int)':
20:23:39  WARNING -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:575: warning: comparison between signed and unsigned integer expressions
20:23:39     INFO -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: In member function 'void mozilla::dom::bluetooth::BluetoothOppManager::ServerDataHandler(mozilla::ipc::UnixSocketRawData*)':
20:23:39    ERROR -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:791: error: 'ReplyError' was not declared in this scope
20:23:39    ERROR -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:804: error: 'ReplyError' was not declared in this scope
20:23:39     INFO -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: At global scope:
20:23:39    ERROR -  ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:1253: error: no 'void mozilla::dom::bluetooth::BluetoothOppManager::ReplyError(uint8_t)' member function declared in class 'mozilla::dom::bluetooth::BluetoothOppManager'
20:23:39     INFO -  In the directory  /builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dom/bluetooth
20:23:39     INFO -  The following command failed to execute properly:
20:23:39     INFO -  /usr/bin/ccache /builds/slave/b2g_try_emu_dep-00000000000000/build/prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-g++ -o BluetoothOppManager.o -c -fvisibility=hidden -D_IMPL_NS_LAYOUT -DMOZ_BLUETOOTH_GONK -DMOZILLA_INTERNAL_API -D_IMPL_NS_COM -DEXPORT_XPT_API -DEXPORT_XPTC_API -D_IMPL_NS_GFX -D_IMPL_NS_WIDGET -DIMPL_XREAPI -DIMPL_NS_NET -DIMPL_THEBES -DSTATIC_EXPORTABLE_JS_API -DEXCLUDE_SKIA_DEPENDENCIES -DOS_POSIX=1 -DOS_LINUX=1 -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/base -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/battery -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/encoding -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/file -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/power -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/push -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/push/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/media -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/network/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/settings -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/phonenumberutils -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/contacts -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/permission -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/alarm -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/events -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/storage -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/offline -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/geolocation -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/notification -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/workers -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/time -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/xbl/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/xul/document/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/events/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/base/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/html/content/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/html/document/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/media/webaudio -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/svg/content/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/generic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/style -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/xul/base/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/xul/base/src/tree/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/system/gonk -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/telephony -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/wifi -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/icc/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/fm -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/ipc -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/linux -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/gonk -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/ipc/chromium/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/ipc/glue -I../../ipc/ipdl/_ipdlheaders -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I. -I../../dist/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dist/include/nspr -I/builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dist/include/nss -fPIC -DANDROID -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/arch-arm/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/include/ -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/common -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/arch-arm -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/opengl/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/native/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware_legacy/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/core/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/dbus -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/bluetooth/bluez/lib -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/sensorservice -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/media/wilhelm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright/openmax -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/rtsp -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/dalvik/libnativehelper/include/nativehelper -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Wtype-limits -Wempty-body -Werror=conversion-null -Wno-ctor-dtor-privacy -Wno-overlength-strings -Wno-invalid-offsetof -Wno-variadic-macros -Wno-long-long -mandroid -fno-short-enums -fno-exceptions -Wno-psabi -DMOZ_ENABLE_JS_DUMP -include /builds/slave/b2g_try_emu_dep-00000000000000/build/gonk-misc/Unicode.h -I/builds/slave/b2g_try_emu_dep-00000000000000/build/ndk/sources/cxx-stl/stlport/stlport/ -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/stlport/stlport/ -march=armv7-a -mthumb -mfpu=vfp -mfloat-abi=softfp -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -std=gnu++0x -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fno-reorder-functions -fomit-frame-pointer -DANDROID -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/arch-arm/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/include/ -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/common -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/arch-arm -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/opengl/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/native/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware_legacy/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/core/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/dbus -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/bluetooth/bluez/lib -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/sensorservice -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/media/wilhelm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright/openmax -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/rtsp -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/dalvik/libnativehelper/include/nativehelper -DMOZILLA_CLIENT -include ../../mozilla-config.h -MD -MF .deps/BluetoothOppManager.o.pp /builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/BluetoothOppManager.cpp
20:23:39    ERROR -  make[7]: *** [BluetoothOppManager.o] Error 1

Comment 29

[Eric Chou [:ericchou] [:echou]]

Attachment: patch 1: final: patch for b2g18, r=gyeh

* Patch updated. Should fixed the bustage.

Is there any way I can run try based on a specific branch like b2g18 or b2g26 by myself to save your time?

Comment 30

[Eric Chou [:ericchou] [:echou]]

Comment on attachment 8362358 [details] [diff] [review]
patch 1: final: patch for b2g18, r=gyeh

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning.
User impact if declined: no user impact. Security issue.
Testing completed: m-c and manual testing by transferring files.
Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution.
String or UUID changes made by this patch: no

Comment 31

[Ryan VanderMeulen [:RyanVM]]

(In reply to Eric Chou [:ericchou] [:echou] from comment #29)
> Is there any way I can run try based on a specific branch like b2g18 or
> b2g26 by myself to save your time?

You can push to Try on top of any branch. It doesn't always work well because it assumes a trunk-like config, but it generally is OK to at least say it builds.

Comment 32

[Ryan VanderMeulen [:RyanVM]]

(In reply to Eric Chou [:ericchou] [:echou] from comment #29)
> * Patch updated. Should fixed the bustage.

It does :)

Comment 33

[Eric Chou [:ericchou] [:echou]]

(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #31)
> (In reply to Eric Chou [:ericchou] [:echou] from comment #29)
> > Is there any way I can run try based on a specific branch like b2g18 or
> > b2g26 by myself to save your time?
> 
> You can push to Try on top of any branch. It doesn't always work well
> because it assumes a trunk-like config, but it generally is OK to at least
> say it builds.

Yeah, I know what it would be looked like. Thanks, Ryan.

Comment 34

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/19df11134ed4
https://hg.mozilla.org/releases/mozilla-b2g18/rev/5b69cc75ecbe

Comment 35

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-b2g18_v1_1_0_hd/rev/5b69cc75ecbe

Comment 36

[Sylvestre Ledru [:Sylvestre]]

Does it impact also ESR24?

Comment 37

[Andrew McCreight [:mccr8]]

No, this is some kind of Bluetooth thing which doesn't affect desktop.