Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche

In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value. A real NSS server will not produce these values. Differential Revision: https://phabricator.services.mozilla.com/D97803
author: Kevin Jacobs <kjacobs@mozilla.com> 2020-12-01 18:05:33 +0000
committer: Kevin Jacobs <kjacobs@mozilla.com> 2020-12-01 18:05:33 +0000
commit: 0dedb96d01249ca9bbe2cb0d68333730fd47d2d7 (patch)
tree: 0a4835feb5830ad5af457ee9a9538d69315ddd40 /lib
parent: 27fe4f4d357339436d7953770201f0bcd7e4ba77 (diff)
download: nss-hg-0dedb96d01249ca9bbe2cb0d68333730fd47d2d7.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
index 2f1ab56fe..fa1c66ee2 100644
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -917,6 +917,13 @@ ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket,
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
+
+#ifndef UNSAFE_FUZZER_MODE
+    PORT_Assert(temp < ssl_auth_size);
+#else
+    temp %= (8 * sizeof(SSLAuthType));
+#endif
+
     parsedTicket->authType = (SSLAuthType)temp;
     rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len);
     if (rv != SECSuccess) {
author	Kevin Jacobs <kjacobs@mozilla.com>	2020-12-01 18:05:33 +0000
committer	Kevin Jacobs <kjacobs@mozilla.com>	2020-12-01 18:05:33 +0000
commit	0dedb96d01249ca9bbe2cb0d68333730fd47d2d7 (patch)
tree	0a4835feb5830ad5af457ee9a9538d69315ddd40 /lib
parent	27fe4f4d357339436d7953770201f0bcd7e4ba77 (diff)
download	nss-hg-0dedb96d01249ca9bbe2cb0d68333730fd47d2d7.tar.gz