Crash in net::WebSocketExtension::Parameter::Parameter |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5646692546510848 Fuzzer: libfuzzer_net_websocket_extension_parser_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e900005d30 Crash State: net::WebSocketExtension::Parameter::Parameter net::WebSocketExtensionParser::ConsumeExtensionParameter net::WebSocketExtensionParser::ConsumeExtension Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=418219:418280 Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97VQ20DTCv-78pVCSr0z61Af6l57QzPBySwQ5AXhU_V2oSIh9W1jeVj7q27iBm8YE6BfqxpT4B72tEVsKpO2iJTzr_loB5-NG_2q1RifT41bWIAa95ivlzlMXa6-6K_XZqaEjeCSnxrB9e93FilZGiZEgdFAA?testcase_id=5646692546510848 Issue manually filed by: ricea See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 15 2016
It turns out that the parser accepts top-bit-set characters as token characters when it shouldn't. Fixing.
,
Sep 16 2016
I made HttpUtil::IsTokenChar() public 2w ago. You might want to use it.
,
Sep 16 2016
Ah, you did it in the patch! Thanks
,
Sep 16 2016
I must admit I was confused when I went to make it public and it already was.
,
Sep 16 2016
Unrestricting the bug since it is purely a conformance issue, not a security issue.
,
Sep 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/66318666019b16c7315c5e1747101bc7e8e9bab7 commit 66318666019b16c7315c5e1747101bc7e8e9bab7 Author: ricea <ricea@chromium.org> Date: Fri Sep 16 07:47:03 2016 WebSocketExtensionParser: reject top-bit-set characters net::WebSocketExtensionParser would accept top-bit-set characters in tokens. Change it to use net::HttpUtil::IsTokenChar() so it accepts the same characters as everything else. Add some tests for top-bit-set characters and a regression test for issue 647156. Also various minor changes to make the code more Chromey. BUG= 647156 Review-Url: https://codereview.chromium.org/2344873002 Cr-Commit-Position: refs/heads/master@{#419125} [modify] https://crrev.com/66318666019b16c7315c5e1747101bc7e8e9bab7/net/websockets/websocket_extension_parser.cc [modify] https://crrev.com/66318666019b16c7315c5e1747101bc7e8e9bab7/net/websockets/websocket_extension_parser.h [modify] https://crrev.com/66318666019b16c7315c5e1747101bc7e8e9bab7/net/websockets/websocket_extension_parser_test.cc
,
Sep 17 2016
ClusterFuzz has detected this issue as fixed in range 419121:419151. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5646692546510848 Fuzzer: libfuzzer_net_websocket_extension_parser_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e900005d30 Crash State: net::WebSocketExtension::Parameter::Parameter net::WebSocketExtensionParser::ConsumeExtensionParameter net::WebSocketExtensionParser::ConsumeExtension Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=418219:418280 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=419121:419151 Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97VQ20DTCv-78pVCSr0z61Af6l57QzPBySwQ5AXhU_V2oSIh9W1jeVj7q27iBm8YE6BfqxpT4B72tEVsKpO2iJTzr_loB5-NG_2q1RifT41bWIAa95ivlzlMXa6-6K_XZqaEjeCSnxrB9e93FilZGiZEgdFAA?testcase_id=5646692546510848 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 17 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ricea@chromium.org
, Sep 15 2016Labels: -Pri-1 OS-All Pri-2
Owner: ricea@chromium.org
Status: Started (was: Untriaged)