net: fix bug in compact HSTS representation.

In r298580, I added a bug where jumps to the very beginning of the data (bit offset zero) would be rejected. This was found by fuzzing. BUG=none Review URL: https://codereview.chromium.org/663903002 Cr-Commit-Position: refs/heads/master@{#300324}

net: fix bug in compact HSTS representation.
In r298580, I added a bug where jumps to the very beginning of the data (bit offset zero) would be rejected. This was found by fuzzing. BUG=none Review URL: https://codereview.chromium.org/663903002 Cr-Commit-Position: refs/heads/master@{#300324}
f1fd1df2 · agl · Commit bot · deda0a55 · f1fd1df2 · f1fd1df2
Commit f1fd1df2 authored Oct 20, 2014 by agl Committed by Commit bot Oct 20, 2014
Showing with 26 additions and 3 deletions

net/http/transport_security_state.cc net/http/transport_security_state.cc +3 -3

net/http/transport_security_state_unittest.cc net/http/transport_security_state_unittest.cc +23 -0

No files found.
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -552,7 +552,7 @@ bool DecodeHSTSPreloadRaw(const std::string& hostname,
          return false;
        }

-        if (bit_offset <= jump_delta) {
+        if (bit_offset < jump_delta) {
          return false;
        }

@@ -598,8 +598,8 @@ bool DecodeHSTSPreload(const std::string& hostname,
                       PreloadResult* out) {
  bool found;
  if (!DecodeHSTSPreloadRaw(hostname, &found, out)) {
-    LOG(ERROR) << "Internal error in DecodeHSTSPreloadRaw for hostname "
-               << hostname;
+    DCHECK(false) << "Internal error in DecodeHSTSPreloadRaw for hostname "
+                  << hostname;
    return false;
  }


--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -10,6 +10,7 @@

 #include "base/base64.h"
 #include "base/files/file_path.h"
+#include "base/rand_util.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "crypto/sha2.h"
@@ -92,6 +93,28 @@ TEST_F(TransportSecurityStateTest, MatchesCase1) {
  EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state));
 }

+TEST_F(TransportSecurityStateTest, Fuzz) {
+  TransportSecurityState state;
+  TransportSecurityState::DomainState domain_state;
+
+  EnableStaticPins(&state);
+
+  for (size_t i = 0; i < 128; i++) {
+    std::string hostname;
+
+    for (;;) {
+      if (base::RandInt(0, 16) == 7) {
+        break;
+      }
+      if (i > 0 && base::RandInt(0, 7) == 7) {
+        hostname.append(1, '.');
+      }
+      hostname.append(1, 'a' + base::RandInt(0, 25));
+    }
+    state.GetStaticDomainState(hostname, &domain_state);
+  }
+}
+
 TEST_F(TransportSecurityStateTest, MatchesCase2) {
  TransportSecurityState state;
  TransportSecurityState::DomainState domain_state;