Crash Due to net::ElideSpdyHeaderBlockForNetLog Not Passing UTF-8 |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5449363947257856 Fuzzer: libfuzzer_net_spdy_session_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e9000019ab Crash State: base::debug::DebugBreak base::Value::Value base::Value::Value Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=449627:449661 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97nLSxUfqWTYB0KNj_Ri11lxX_fCADHCEF0jMrzwb-Ms_99uyl-exWfOP8ATy3RGVXh62TkBLWPok9G_ctT95b_VSqD11EQOnP60XTVKB5V4Bqd-Iweyhc6eaMTgHGXurBzn2MIvwxPvB1wagLKCASLkKfeJeY5WV3PGfpmxT1CHopRkooEH4egPCHl-FzeIcspG94QLh06vch9LfbZCu1ptU01tkzbn9V_7aBTRltgujnG_OyObT60q-YWzFpwbdrelLkpX6bGLotgqkmADKWbqN8vddCV9_EPCX5wZGpUS6DeWwTsIL9BuZnPXADt3XCDDGCjKu4Id4XPmRJdXWf3SoWqmDqSWanNCQs40C7JI_Y87ojaonvD0YTVpIb8RnhK_5wa4xR_BF4t33FEmQHJgQmchQ?testcase_id=5449363947257856 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 14 2017
,
Feb 14 2017
Over to you, xunjieli. The crash is a DCHECK against a logged SPDY string when the string is not valid UTF-8. Logging was apparently added by you here: https://codereview.chromium.org/1932853002/ Looks like morlovich might have added the fuzzer that catches this so added that id to the CC list.
,
Feb 14 2017
My CL only moved the existing logging function from one file to another. morlovich: can spdy headers contain non-UTF-8?
,
Feb 14 2017
My (not-really-expert, just checked the spec) understanding is that HTTP2 header values can contain close to everything --- there are restrictions on things like CR, LF and \0, and perhaps some other control stuff --- but everything in the 0x80-0xFF range appears to be permitted. Header names, OTOH, are supposed to be lowercase ASCII (which is enforced after this call, and perhaps not quite correctly --- SpdyStream::SaveResponseHeaders seems to disallow uppercase ASCII, but I am not sure anything ensures ASCII...)
,
Feb 14 2017
,
Feb 22 2017
,
Feb 22 2017
,
Feb 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/21b64f4da725d81384c3558f96d9d8b045c99633 commit 21b64f4da725d81384c3558f96d9d8b045c99633 Author: xunjieli <xunjieli@chromium.org> Date: Tue Feb 28 23:49:20 2017 HTTP/2 Check header names in HeaderCoalescer According to RFC 7540 Section 8.1.2, HTTP/2 header names are ASCII characters. SpdyStream::SaveResponseHeaders() checks whether header names contain uppercase ASCII characters, but not whether header names are valid tokens. This CL makes HeaderCoalescer to enforce an header name validity check by HttpUtil::IsValidHeaderName(). BUG= 691243 Review-Url: https://codereview.chromium.org/2710053002 Cr-Commit-Position: refs/heads/master@{#453749} [modify] https://crrev.com/21b64f4da725d81384c3558f96d9d8b045c99633/net/spdy/header_coalescer.cc [modify] https://crrev.com/21b64f4da725d81384c3558f96d9d8b045c99633/net/spdy/header_coalescer_test.cc
,
Mar 1 2017
,
Mar 16 2017
,
May 5 2017
ClusterFuzz has detected this issue as fixed in range 469306:469316. Detailed report: https://clusterfuzz.com/testcase?key=5449363947257856 Fuzzer: libfuzzer_net_spdy_session_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e9000019ab Crash State: base::debug::DebugBreak base::Value::Value base::Value::Value Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=449627:449661 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=469306:469316 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5449363947257856 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by nyerramilli@google.com
, Feb 13 2017Labels: Test-Predator-Wrong-CLs M-58
Owner: bcwh...@chromium.org
Status: Assigned (was: Untriaged)