Commit ba6cbe1d authored by Kevin Jacobs's avatar Kevin Jacobs

Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche

In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value. A real NSS server will not produce these values.

Differential Revision: https://phabricator.services.mozilla.com/D97803

--HG--
extra : moz-landing-system : lando
parent bd788dd7
......@@ -917,6 +917,13 @@ ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
#ifndef UNSAFE_FUZZER_MODE
PORT_Assert(temp < ssl_auth_size);
#else
temp %= (8 * sizeof(SSLAuthType));
#endif
parsedTicket->authType = (SSLAuthType)temp;
rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
if (rv != SECSuccess) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment