Enforce max failure_count in BackoffEntrySerializer.

net_backoff_entry_serializer_fuzzer found an input that contains a very large failure_count. BackoffEntrySerializer::DeserializeFromValue loops |failure_count| times to initialize the BackoffEntry. In the worst case, we could wind up looping MAX_INT times. This CL modifies BackoffEntrySerializer::DeserializeFromValue to cap the failure_count to a maximum value. Bug: 1112132 Change-Id: Ifb7b6bf02161348b6f237b23b016f9fb0fee7fc9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2336853 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#795066}

Enforce max failure_count in BackoffEntrySerializer.
net_backoff_entry_serializer_fuzzer found an input that contains a very large failure_count. BackoffEntrySerializer::DeserializeFromValue loops |failure_count| times to initialize the BackoffEntry. In the worst case, we could wind up looping MAX_INT times. This CL modifies BackoffEntrySerializer::DeserializeFromValue to cap the failure_count to a maximum value. Bug: 1112132 Change-Id: Ifb7b6bf02161348b6f237b23b016f9fb0fee7fc9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2336853 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#795066}
5aea4642 · Daniel McArdle · Commit Bot · 2d2941f9 · 5aea4642
Commit 5aea4642 authored Aug 05, 2020 by Daniel McArdle Committed by Commit Bot Aug 05, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 1 deletion

net/base/backoff_entry_serializer.cc net/base/backoff_entry_serializer.cc +14 -1

No files found.
--- a/net/base/backoff_entry_serializer.cc
+++ b/net/base/backoff_entry_serializer.cc
@@ -4,6 +4,7 @@
 #include "net/base/backoff_entry_serializer.h"
+#include <algorithm>
 #include <utility>
 #include "base/strings/string_number_conversions.h"
@@ -15,6 +16,15 @@ namespace {
 // Increment this number when changing the serialization format, to avoid old
 // serialized values loaded from disk etc being misinterpreted.
 const int kSerializationFormatVersion = 1;
+// This max defines how many times we are willing to call
+// |BackoffEntry::InformOfRequest| in |DeserializeFromValue|.
+//
+// This value is meant to large enough that the computed backoff duration can
+// still be saturated. Given that the duration is an int64 and assuming 1.01 as
+// a conservative lower bound for BackoffEntry::Policy::multiply_factor,
+// ceil(log(2**63-1, 1.01)) = 4389.
+const int kMaxFailureCount = 4389;
 }  // namespace
 namespace net {
@@ -57,8 +67,11 @@ std::unique_ptr<BackoffEntry> BackoffEntrySerializer::DeserializeFromValue(
  }
  int failure_count;
-  if (!serialized_list->GetInteger(1, &failure_count) || failure_count < 0)
+  if (!serialized_list->GetInteger(1, &failure_count) || failure_count < 0) {
    return nullptr;
+  }
+  failure_count = std::min(failure_count, kMaxFailureCount);
  double original_backoff_duration_double;
  if (!serialized_list->GetDouble(2, &original_backoff_duration_double))
    return nullptr;