Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Unable to find the possible suspect using Code Search, Find it and CL.
Assigning to the concern owner who worked on similar issue.

@mmoroz -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Matt, as an author of the fuzzer, would you mind helping to find an owner?

The issue here is that CopyHeaderValues in net/http/proxy_client_socket.cc is extremely slow when we have a ton of headers (Or one header with a bunch of commas in it).

Lowering the priority as this, at worse, allows a malicious proxy (Or MITM when a user is using an unencypted proxy) to DoS chrome.  Does seem like we should fix it, though.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/69b49a8ebcb7b1efddf89262b0ca36a300d756a5

commit 69b49a8ebcb7b1efddf89262b0ca36a300d756a5
Author: mmenke <mmenke@chromium.org>
Date: Mon Jan 23 19:34:57 2017

Speed up sanitizing headers received from HTTP proxies.

The old code repeatedly re-parsed headers for each header
to be retained, which is a very CPU intensive operation.
In practice, this shouldn't have mattered much. At worst, a
malicious proxy or MitM could DoS the CPU.

This code removes all the redundant parsing, and just removes
all the old headers in a single pass, at the cost of a bit more
code, and worse performance in the average case.  In the extreme
case the fuzzer detected, the new code is about 1,000 times
faster.

BUG= 666878 

Review-Url: https://codereview.chromium.org/2643023003
Cr-Commit-Position: refs/heads/master@{#445432}

[modify] https://crrev.com/69b49a8ebcb7b1efddf89262b0ca36a300d756a5/net/http/http_response_headers.cc
[modify] https://crrev.com/69b49a8ebcb7b1efddf89262b0ca36a300d756a5/net/http/http_response_headers.h
[modify] https://crrev.com/69b49a8ebcb7b1efddf89262b0ca36a300d756a5/net/http/http_response_headers_unittest.cc
[modify] https://crrev.com/69b49a8ebcb7b1efddf89262b0ca36a300d756a5/net/http/proxy_client_socket.cc

Surprised the fuzzer found this - had to add a lot of cruft separated by commas to a single request header, wouldn't have thought it would be that interesting.

ClusterFuzz has detected this issue as fixed in range 445428:445576.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6161549531283456

Fuzzer: libfuzzer_net_http_proxy_client_socket_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  net_http_proxy_client_socket_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=445428:445576

Minimized Testcase (7.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DIcb56d2A91O9zBulI1Hu-2H9kvjNlcMUHGSeiZGc8GMufCHediUMG4l-qLEToUPl7tTUddDAv8D8_SmKJjT38mIMmvoFotqXhvBh0eQL-7f_HDyL8NISlws-RdVSCcvWP6U-ysgetxd_yJeB4lgFZbrQlg?testcase_id=6161549531283456

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.