95 lines
2.9 KiB
Diff
95 lines
2.9 KiB
Diff
From e8f9f3b8869e7cd0db4f84d05ebb42c1ccd06395 Mon Sep 17 00:00:00 2001
|
|
From: Frederik Braun <fbraun@mozilla.com>
|
|
Date: Fri, 19 Mar 2021 14:08:03 +0000 (2021-03-19)
|
|
Subject: [PATCH] CVE-2021-29946
|
|
|
|
---
|
|
netwerk/base/nsIOService.cpp | 2 +-
|
|
netwerk/test/unit/test_altsvc.js | 57 ++++++++++++++++++++++++++++++++
|
|
2 files changed, 58 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
|
|
index 79abb1310f..f72cdf02b8 100644
|
|
--- a/netwerk/base/nsIOService.cpp
|
|
+++ b/netwerk/base/nsIOService.cpp
|
|
@@ -1406,7 +1406,7 @@ nsIOService::AllowPort(int32_t inPort, const char* scheme, bool* _retval) {
|
|
return NS_OK;
|
|
}
|
|
|
|
- if (port == 0) {
|
|
+ if (port <= 0 || port >= std::numeric_limits<uint16_t>::max()) {
|
|
*_retval = false;
|
|
return NS_OK;
|
|
}
|
|
diff --git a/netwerk/test/unit/test_altsvc.js b/netwerk/test/unit/test_altsvc.js
|
|
index 57d4357cb3..4c4eaba6b6 100644
|
|
--- a/netwerk/test/unit/test_altsvc.js
|
|
+++ b/netwerk/test/unit/test_altsvc.js
|
|
@@ -468,6 +468,63 @@ function doTest16() {
|
|
do_test_finished();
|
|
},
|
|
});
|
|
+ nextTest = doTest19;
|
|
do_test_pending();
|
|
doTest();
|
|
}
|
|
+
|
|
+// Check we don't connect to blocked ports
|
|
+function doTest19() {
|
|
+ dump("doTest19()\n");
|
|
+ origin = httpFooOrigin;
|
|
+ nextTest = testsDone;
|
|
+ otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance(
|
|
+ Ci.nsIServerSocket
|
|
+ );
|
|
+ const BAD_PORT_U32 = 6667 + 65536;
|
|
+ otherServer.init(BAD_PORT_U32, true, -1);
|
|
+ Assert.ok(otherServer.port == 6667, "Trying to listen on port 6667");
|
|
+ xaltsvc = "localhost:" + BAD_PORT_U32;
|
|
+ dump("Blocked port: " + otherServer.port);
|
|
+ waitFor = 500;
|
|
+ otherServer.asyncListen({
|
|
+ onSocketAccepted() {
|
|
+ Assert.ok(false, "Got connection to socket when we didn't expect it!");
|
|
+ },
|
|
+ onStopListening() {
|
|
+ // We get closed when the entire file is done, which guarantees we get the socket accept
|
|
+ // if we do connect to the alt-svc header
|
|
+ do_test_finished();
|
|
+ },
|
|
+ });
|
|
+ nextTest = doTest20;
|
|
+ do_test_pending();
|
|
+ doTest();
|
|
+}
|
|
+function doTest20() {
|
|
+ dump("doTest20()\n");
|
|
+ origin = httpFooOrigin;
|
|
+ nextTest = testsDone;
|
|
+ otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance(
|
|
+ Ci.nsIServerSocket
|
|
+ );
|
|
+ const BAD_PORT_U64 = 6666 + 429496729;
|
|
+ otherServer.init(6666, true, -1);
|
|
+ Assert.ok(otherServer.port == 6666, "Trying to listen on port 6666");
|
|
+ xaltsvc = "localhost:" + BAD_PORT_U64;
|
|
+ dump("Blocked port: " + otherServer.port);
|
|
+ waitFor = 500;
|
|
+ otherServer.asyncListen({
|
|
+ onSocketAccepted() {
|
|
+ Assert.ok(false, "Got connection to socket when we didn't expect it!");
|
|
+ },
|
|
+ onStopListening() {
|
|
+ // We get closed when the entire file is done, which guarantees we get the socket accept
|
|
+ // if we do connect to the alt-svc header
|
|
+ do_test_finished();
|
|
+ },
|
|
+ });
|
|
+ do_test_pending();
|
|
+ doTest();
|
|
+}
|
|
+
|
|
--
|
|
2.27.0
|
|
|