[fido] Crash in U2fSign::OnTryDevice |
|||||
Issue description
U2fSign::OnTryDevice potentially dereferences an end-iterator when application_parameter_type is ApplicationParameterType::kPrimary, |alt_application_parameter_| is valid and |response_code| is SW_WRONG_{DATA,LENGTH}: https://www.google.com/url?q=https://codesearch.chromium.org/chromium/src/device/fido/u2f_sign.cc?q%3Du2f_sign.cc%26sq%3Dpackage:chromium%26dr%26l%3D115-116,120&sa=D&source=hangouts&ust=1523969869403000&usg=AFQjCNGAscmncUkIM18J4OAFHcp8tboXUQ
This can lead to crashes such as this one: http://crash/browse?stbtiq=738898cedccfc636
,
Apr 17 2018
,
Apr 18 2018
I request merge of r551299 into M67 (branch 3396).
,
Apr 19 2018
Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 19 2018
Pls merge your change to M67 branch 3396 ASAP so we can pick it up for next M67 Dev/Beta release. Thank you.
,
Apr 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e41040cb5685ebc8852d346f15223b6d42ed29e3 commit e41040cb5685ebc8852d346f15223b6d42ed29e3 Author: jdoerrie <jdoerrie@chromium.org> Date: Fri Apr 20 08:54:30 2018 [fido] Fix end iterator dereference in U2fSign This change fixes a bug in U2fSign, where under certain circumstances an end iterator was dereferenced. Bug: 833398 Change-Id: I9194a966b01fbe9da6e51e50645f7f301e0d59e5 Reviewed-on: https://chromium-review.googlesource.com/1013484 Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#551299}(cherry picked from commit 99ba5163ab48e317c9bdb03829c71069f18893ea) Reviewed-on: https://chromium-review.googlesource.com/1021121 Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/branch-heads/3396@{#155} Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428} [modify] https://crrev.com/e41040cb5685ebc8852d346f15223b6d42ed29e3/device/fido/u2f_sign.cc [modify] https://crrev.com/e41040cb5685ebc8852d346f15223b6d42ed29e3/device/fido/u2f_sign_unittest.cc |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by bugdroid1@chromium.org
, Apr 17 2018