commit 0087524ee74ece1c5e12838e4f2823335d06679e Author: Mike Perry <mikeperry-git@fscked.org> Date: Mon Jul 30 18:48:00 2012 -0700 Bug #6492: Fix the Tor Browser SIGFPE crash bug All reported crashy sites no longer crash for me with this version. --- ...ize-HTTP-request-order-and-pipeline-depth.patch | 26 +++++++++++-------- 1 files changed, 15 insertions(+), 11 deletions(-) diff --git a/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch b/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch index 407296e..96df3f7 100644 --- a/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch +++ b/src/current-patches/firefox/alpha/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch @@ -1,7 +1,7 @@ -From 54b2fce6f6dc202de87414d828ef5328f368f1f3 Mon Sep 17 00:00:00 2001 +From 1777a19229cf111156aeae078344a27f34c953c3 Mon Sep 17 00:00:00 2001 From: Mike Perry <mikeperry-git@torproject.org> Date: Fri, 20 Jul 2012 18:13:44 -0700 -Subject: [PATCH 17/19] Randomize HTTP request order and pipeline depth. +Subject: [PATCH 17/21] Randomize HTTP request order and pipeline depth. This is an experimental defense against http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf @@ -19,12 +19,12 @@ similar behavior... The good news is we now randomize SPDY request order as well as pipeline request order (though SPDY is still disabled by default in TBB). --- - netwerk/protocol/http/nsHttpConnectionMgr.cpp | 54 +++++++++++++++++++++++-- + netwerk/protocol/http/nsHttpConnectionMgr.cpp | 58 +++++++++++++++++++++++-- netwerk/protocol/http/nsHttpConnectionMgr.h | 3 + - 2 files changed, 53 insertions(+), 4 deletions(-) + 2 files changed, 57 insertions(+), 4 deletions(-) diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp -index 5336c7d..b20e770 100644 +index 5336c7d..b94ee31 100644 --- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp +++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp @@ -52,6 +52,8 @@ @@ -36,7 +36,7 @@ index 5336c7d..b20e770 100644 using namespace mozilla; // defined by the socket transport service while active -@@ -70,15 +72,37 @@ InsertTransactionSorted(nsTArray<nsHttpTransaction*> &pendingQ, nsHttpTransactio +@@ -70,15 +72,39 @@ InsertTransactionSorted(nsTArray<nsHttpTransaction*> &pendingQ, nsHttpTransactio // insert into queue with smallest valued number first. search in reverse // order under the assumption that many of the existing transactions will // have the same priority (usually 0). @@ -69,6 +69,8 @@ index 5336c7d..b20e770 100644 + // Choose random destination begin..end + PRInt32 count = 1+end - begin; + ++ if (count == 0) count = 1; // shouldn't happen... ++ + // FIXME: rand() is not crypto-secure.. but meh, this code will probably + // change like 2 dozen more times before merge, and rand() is probably + // good enough for our purposes anyways. @@ -78,7 +80,7 @@ index 5336c7d..b20e770 100644 } //----------------------------------------------------------------------------- -@@ -101,6 +125,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() +@@ -101,6 +127,12 @@ nsHttpConnectionMgr::nsHttpConnectionMgr() mCT.Init(); mAlternateProtocolHash.Init(16); mSpdyPreferredHash.Init(); @@ -91,7 +93,7 @@ index 5336c7d..b20e770 100644 } nsHttpConnectionMgr::~nsHttpConnectionMgr() -@@ -1115,6 +1145,19 @@ nsHttpConnectionMgr::AtActiveConnectionLimit(nsConnectionEntry *ent, PRUint8 cap +@@ -1115,6 +1147,19 @@ nsHttpConnectionMgr::AtActiveConnectionLimit(nsConnectionEntry *ent, PRUint8 cap maxPersistConns = mMaxPersistConnsPerHost; } @@ -111,12 +113,14 @@ index 5336c7d..b20e770 100644 // use >= just to be safe bool result = (totalCount >= maxConns) || ( (caps & NS_HTTP_ALLOW_KEEPALIVE) && (persistCount >= maxPersistConns) ); -@@ -1250,6 +1293,9 @@ nsHttpConnectionMgr::AddToShortestPipeline(nsConnectionEntry *ent, +@@ -1250,6 +1295,11 @@ nsHttpConnectionMgr::AddToShortestPipeline(nsConnectionEntry *ent, maxdepth = PR_MIN(maxdepth, depthLimit); -+ // This is a crazy hack to randomize pipeline depth a bit more.. -+ maxdepth = 1 + maxdepth/2 + (rand() % (maxdepth/2)); ++ if (maxdepth/2 > 1) { ++ // This is a crazy hack to randomize pipeline depth a bit more.. ++ maxdepth = 1 + maxdepth/2 + (rand() % (maxdepth/2)); ++ } + if (maxdepth < 2) return false;