Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche

In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value. A real NSS server will not produce these values. Differential Revision: https://phabricator.services.mozilla.com/D97803 --HG-- extra : moz-landing-system : lando
sailfishos-mirror · Dec 1, 2020 · ba6cbe1 · ba6cbe1
1 parent bd788dd
commit ba6cbe1
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
@@ -917,6 +917,13 @@ ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
+
+#ifndef UNSAFE_FUZZER_MODE
+    PORT_Assert(temp < ssl_auth_size);
+#else
+    temp %= (8 * sizeof(SSLAuthType));
+#endif
+
     parsedTicket->authType = (SSLAuthType)temp;
     rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
     if (rv != SECSuccess) {