From e8f9f3b8869e7cd0db4f84d05ebb42c1ccd06395 Mon Sep 17 00:00:00 2001
From: Frederik Braun <fbraun@mozilla.com>
Date: Fri, 19 Mar 2021 14:08:03 +0000 (2021-03-19)
Subject: [PATCH] CVE-2021-29946

---
 netwerk/base/nsIOService.cpp     |  2 +-
 netwerk/test/unit/test_altsvc.js | 57 ++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
index 79abb1310f..f72cdf02b8 100644
--- a/netwerk/base/nsIOService.cpp
+++ b/netwerk/base/nsIOService.cpp
@@ -1406,7 +1406,7 @@ nsIOService::AllowPort(int32_t inPort, const char* scheme, bool* _retval) {
     return NS_OK;
   }
 
-  if (port == 0) {
+  if (port <= 0 || port >= std::numeric_limits<uint16_t>::max()) {
     *_retval = false;
     return NS_OK;
   }
diff --git a/netwerk/test/unit/test_altsvc.js b/netwerk/test/unit/test_altsvc.js
index 57d4357cb3..4c4eaba6b6 100644
--- a/netwerk/test/unit/test_altsvc.js
+++ b/netwerk/test/unit/test_altsvc.js
@@ -468,6 +468,63 @@ function doTest16() {
       do_test_finished();
     },
   });
+  nextTest = doTest19;
   do_test_pending();
   doTest();
 }
+
+// Check we don't connect to blocked ports
+function doTest19() {
+  dump("doTest19()\n");
+  origin = httpFooOrigin;
+  nextTest = testsDone;
+  otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance(
+    Ci.nsIServerSocket
+  );
+  const BAD_PORT_U32 = 6667 + 65536;
+  otherServer.init(BAD_PORT_U32, true, -1);
+  Assert.ok(otherServer.port == 6667, "Trying to listen on port 6667");
+  xaltsvc = "localhost:" + BAD_PORT_U32;
+  dump("Blocked port: " + otherServer.port);
+  waitFor = 500;
+  otherServer.asyncListen({
+    onSocketAccepted() {
+      Assert.ok(false, "Got connection to socket when we didn't expect it!");
+    },
+    onStopListening() {
+      // We get closed when the entire file is done, which guarantees we get the socket accept
+      // if we do connect to the alt-svc header
+      do_test_finished();
+    },
+  });
+  nextTest = doTest20;
+  do_test_pending();
+  doTest();
+}
+function doTest20() {
+  dump("doTest20()\n");
+  origin = httpFooOrigin;
+  nextTest = testsDone;
+  otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance(
+    Ci.nsIServerSocket
+  );
+  const BAD_PORT_U64 = 6666 + 429496729;
+  otherServer.init(6666, true, -1);
+  Assert.ok(otherServer.port == 6666, "Trying to listen on port 6666");
+  xaltsvc = "localhost:" + BAD_PORT_U64;
+  dump("Blocked port: " + otherServer.port);
+  waitFor = 500;
+  otherServer.asyncListen({
+    onSocketAccepted() {
+      Assert.ok(false, "Got connection to socket when we didn't expect it!");
+    },
+    onStopListening() {
+      // We get closed when the entire file is done, which guarantees we get the socket accept
+      // if we do connect to the alt-svc header
+      do_test_finished();
+    },
+  });
+  do_test_pending();
+  doTest();
+}
+
-- 
2.27.0