[tor-commits] [torbrowser/maint-2.3] Bug #6492: Fix the Tor Browser SIGFPE crash bug

mikeperry at torproject.org mikeperry at torproject.org
Tue Jul 31 01:53:24 UTC 2012 

commit 0087524ee74ece1c5e12838e4f2823335d06679e
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Mon Jul 30 18:48:00 2012 -0700

    Bug #6492: Fix the Tor Browser SIGFPE crash bug
    
    All reported crashy sites no longer crash for me with this version.
---
 ...ize-HTTP-request-order-and-pipeline-depth.patch |   26 +++++++++++--------
 1 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch b/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch
index 407296e..96df3f7 100644
--- a/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch
+++ b/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch
@@ -1,7 +1,7 @@
-From 54b2fce6f6dc202de87414d828ef5328f368f1f3 Mon Sep 17 00:00:00 2001
+From 1777a19229cf111156aeae078344a27f34c953c3 Mon Sep 17 00:00:00 2001
 From: Mike Perry <mikeperry-git at torproject.org>
 Date: Fri, 20 Jul 2012 18:13:44 -0700
-Subject: [PATCH 17/19] Randomize HTTP request order and pipeline depth.
+Subject: [PATCH 17/21] Randomize HTTP request order and pipeline depth.
 
 This is an experimental defense against
 http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf
@@ -19,12 +19,12 @@ similar behavior...
 The good news is we now randomize SPDY request order as well as pipeline
 request order (though SPDY is still disabled by default in TBB).
 ---
- netwerk/protocol/http/nsHttpConnectionMgr.cpp |   54 +++++++++++++++++++++++--
+ netwerk/protocol/http/nsHttpConnectionMgr.cpp |   58 +++++++++++++++++++++++--
  netwerk/protocol/http/nsHttpConnectionMgr.h   |    3 +
- 2 files changed, 53 insertions(+), 4 deletions(-)
+ 2 files changed, 57 insertions(+), 4 deletions(-)
 
 diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
-index 5336c7d..b20e770 100644
+index 5336c7d..b94ee31 100644
 --- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp
 +++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
 @@ -52,6 +52,8 @@
@@ -36,7 +36,7 @@ index 5336c7d..b20e770 100644
  using namespace mozilla;
  
  // defined by the socket transport service while active
-@@ -70,15 +72,37 @@ InsertTransactionSorted(nsTArray<nsHttpTransaction*> &pendingQ, nsHttpTransactio
+@@ -70,15 +72,39 @@ InsertTransactionSorted(nsTArray<nsHttpTransaction*> &pendingQ, nsHttpTransactio
      // insert into queue with smallest valued number first.  search in reverse
      // order under the assumption that many of the existing transactions will
      // have the same priority (usually 0).
@@ -69,6 +69,8 @@ index 5336c7d..b20e770 100644
 +    // Choose random destination begin..end
 +    PRInt32 count = 1+end - begin;
 +
++    if (count == 0) count = 1; // shouldn't happen...
++
 +    // FIXME: rand() is not crypto-secure.. but meh, this code will probably
 +    // change like 2 dozen more times before merge, and rand() is probably 
 +    // good enough for our purposes anyways.
@@ -78,7 +80,7 @@ index 5336c7d..b20e770 100644
  }
  
  //-----------------------------------------------------------------------------
-@@ -101,6 +125,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr()
+@@ -101,6 +127,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr()
      mCT.Init();
      mAlternateProtocolHash.Init(16);
      mSpdyPreferredHash.Init();
@@ -91,7 +93,7 @@ index 5336c7d..b20e770 100644
  }
  
  nsHttpConnectionMgr::~nsHttpConnectionMgr()
-@@ -1115,6 +1145,19 @@ nsHttpConnectionMgr::AtActiveConnectionLimit(nsConnectionEntry *ent, PRUint8 cap
+@@ -1115,6 +1147,19 @@ nsHttpConnectionMgr::AtActiveConnectionLimit(nsConnectionEntry *ent, PRUint8 cap
          maxPersistConns = mMaxPersistConnsPerHost;
      }
  
@@ -111,12 +113,14 @@ index 5336c7d..b20e770 100644
      // use >= just to be safe
      bool result = (totalCount >= maxConns) || ( (caps & NS_HTTP_ALLOW_KEEPALIVE) &&
                                                (persistCount >= maxPersistConns) );
-@@ -1250,6 +1293,9 @@ nsHttpConnectionMgr::AddToShortestPipeline(nsConnectionEntry *ent,
+@@ -1250,6 +1295,11 @@ nsHttpConnectionMgr::AddToShortestPipeline(nsConnectionEntry *ent,
  
      maxdepth = PR_MIN(maxdepth, depthLimit);
  
-+    // This is a crazy hack to randomize pipeline depth a bit more..
-+    maxdepth = 1 + maxdepth/2 + (rand() % (maxdepth/2));
++    if (maxdepth/2 > 1) { 
++      // This is a crazy hack to randomize pipeline depth a bit more..
++      maxdepth = 1 + maxdepth/2 + (rand() % (maxdepth/2));
++    }
 +
      if (maxdepth < 2)
          return false;

More information about the tor-commits mailing list