Closed
      
        Bug 790929
      
      
        Opened 13 years ago
          Closed 13 years ago
      
        
    
  
WebRTC crash [@sdp_build_attr_from_str]     
    Categories
(Core :: WebRTC: Signaling, defect)
Tracking
()
        RESOLVED
        FIXED
        
    
  
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected | 
| firefox17 | --- | unaffected | 
| firefox18 | + | fixed | 
| firefox-esr10 | --- | unaffected | 
| firefox-esr17 | --- | unaffected | 
People
(Reporter: posidron, Assigned: ehugg)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [asan][WebRTC][blocking-webrtc+][qa-][adv-main18-])
Attachments
(3 files, 1 obsolete file)
The console shows the following before the crash happens:
!!! Real PeerConnection constructor called OMG !!!
!!! {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} : calling initialize
!!! Queue for {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} is currently: []
!!! Queue for {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} is currently: []
!!! mozPeerConnection constructor called [object Window @ 0x1544f2980 (native @ 0x14e633d00)]
Delivering PeerConnection ICE callback 
!!! {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} : onStateChange called: 2
!!! ICE waiting...
!!! in executeNext: !!! Queue for {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} is currently: []
!!! {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} : createOffer called
!!! {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} : calling createOffer
!!! Queue for {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} is currently: []
!!! {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} : createOffer returned
!!! {94dd7f47-e489-a648-a1d0-a9317f8d4bc0} : onCreateOfferSuccess called
Click "Crash me" in the testcase to reproduce with a ASan enabled Alder build.
|   | Reporter | |
| Comment 1•13 years ago
           | ||
|   | Reporter | |
| Updated•13 years ago
           | 
Component: WebRTC: Networking → WebRTC: Signaling
| Assignee | ||
| Updated•13 years ago
           | 
Assignee: nobody → ethanhugg
| Updated•13 years ago
           | 
Blocks: 665909
          status-firefox-esr10:
          --- → unaffected
          status-firefox16:
          --- → unaffected
          status-firefox17:
          --- → unaffected
          status-firefox18:
          --- → affected
          tracking-firefox18:
          --- → +
| Updated•13 years ago
           | 
Whiteboard: [asan] → [asan][WebRTC][blocking-webrtc+]
| Comment 2•13 years ago
           | ||
| Comment 3•13 years ago
           | ||
Comment on attachment 661166 [details] [diff] [review]
Error out on SDP buffer too small
If you don't error out, on the next attr the pointer is past the end, and the len (u16) is 6xxxx.
sdp_main.c is actually ok, but added comments.
FYI to cristoph - as this is code not in m-c yet, once it's fixed, should it be opened?  The main reason not to would be that this is imported code, so sec flaws (in the original code at least) would also exist in any Cisco product using it....  (Ethan, you might want to note this for internal Cisco people; CCSIP has/will get a lot of bugfixes relevant to the original source - though they might need to deal with them as reports and not patches, due to licensing issues.)
        Attachment #661166 -
        Flags: review?(ethanhugg)
| Assignee | ||
| Comment 4•13 years ago
           | ||
Comment on attachment 661166 [details] [diff] [review]
Error out on SDP buffer too small
Review of attachment 661166 [details] [diff] [review]:
-----------------------------------------------------------------
::: media/webrtc/signaling/src/sipcc/core/sdp/sdp_attr.c
@@ +215,1 @@
>              }
Is there a reason we wouldn't want to do this instead?  Seems we are checking the same value twice.
result = sdp_attr[attr_p->type].build_func(sdp_p, attr_p,ptr, (u16)(endbuf_p - *ptr));
/* If we ran out of buffer space, we must error out */
if (endbuf_p - *ptr <= 0)
  return (SDP_POTENTIAL_SDP_OVERFLOW);
if (result == SDP_SUCCESS) {
        Attachment #661166 -
        Flags: review?(ethanhugg) → review+
| Comment 5•13 years ago
           | ||
Good point; switched and also corrected indent level to match the file
| Updated•13 years ago
           | 
        Attachment #661166 -
        Attachment is obsolete: true
| Updated•13 years ago
           | 
        Attachment #661194 -
        Flags: review?(ethanhugg)
| Assignee | ||
| Updated•13 years ago
           | 
        Attachment #661194 -
        Flags: review?(ethanhugg) → review+
| Comment 6•13 years ago
           | ||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|   | ||
| Updated•13 years ago
           | 
Whiteboard: [asan][WebRTC][blocking-webrtc+] → [asan][WebRTC][blocking-webrtc+][qa-]
|   | Reporter | |
| Updated•13 years ago
           | 
Blocks: fuzzing-webrtc
| Updated•13 years ago
           | 
|   | ||
| Updated•12 years ago
           | 
Flags: in-testsuite?
| Updated•12 years ago
           | 
          status-firefox-esr17:
          --- → unaffected
Whiteboard: [asan][WebRTC][blocking-webrtc+][qa-] → [asan][WebRTC][blocking-webrtc+][qa-][adv-main18-]
| Updated•12 years ago
           | 
Group: core-security
          You need to log in
          before you can comment on or make changes to this bug.
        
Description
•