6 files changed, 150 insertions, 0 deletions
diff --git a/netwerk/base/nsBaseChannel.cpp b/netwerk/base/nsBaseChannel.cpp
index 2575fac04..51caa546e 100644
--- a/netwerk/base/nsBaseChannel.cpp
+++ b/netwerk/base/nsBaseChannel.cpp
@@ -579,6 +579,12 @@ NS_IMETHODIMP
 nsBaseChannel::SetContentDispositionFilename(const nsAString &aContentDispositionFilename)
 {
   mContentDispositionFilename = new nsString(aContentDispositionFilename);
+
+  // For safety reasons ensure the filename doesn't contain null characters and
+  // replace them with underscores. We may later pass the extension to system
+  // MIME APIs that expect null terminated strings.
+  mContentDispositionFilename->ReplaceChar(char16_t(0), '_');
+
   return NS_OK;
 }
 
diff --git a/netwerk/protocol/http/HttpBaseChannel.cpp b/netwerk/protocol/http/HttpBaseChannel.cpp
index a53022f71..bf8e17537 100644
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -562,6 +562,12 @@ NS_IMETHODIMP
 HttpBaseChannel::SetContentDispositionFilename(const nsAString& aContentDispositionFilename)
 {
   mContentDispositionFilename = new nsString(aContentDispositionFilename);
+
+  // For safety reasons ensure the filename doesn't contain null characters and
+  // replace them with underscores. We may later pass the extension to system
+  // MIME APIs that expect null terminated strings.
+  mContentDispositionFilename->ReplaceChar(char16_t(0), '_');
+
   return NS_OK;
 }
 
diff --git a/netwerk/sctp/src/netinet/sctp_input.c b/netwerk/sctp/src/netinet/sctp_input.c
index 1301b430c..f469e0f5c 100755
--- a/netwerk/sctp/src/netinet/sctp_input.c
+++ b/netwerk/sctp/src/netinet/sctp_input.c
@@ -2517,6 +2517,27 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
 		/* cookie too small */
 		return (NULL);
 	}
+#if defined(__Userspace__)
+	/*
+	 * Recover the AF_CONN addresses within the cookie.
+	 * This needs to be done in the buffer provided for later processing
+	 * of the cookie and in the mbuf chain for HMAC validation.
+	 */
+	if ((cookie->addr_type == SCTP_CONN_ADDRESS) && (src->sa_family == AF_CONN)) {
+		struct sockaddr_conn *sconnp = (struct sockaddr_conn *)src;
+
+		memcpy(cookie->address, &sconnp->sconn_addr , sizeof(void *));
+		m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, address),
+		           (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
+	}
+	if ((cookie->laddr_type == SCTP_CONN_ADDRESS) && (dst->sa_family == AF_CONN)) {
+		struct sockaddr_conn *sconnp = (struct sockaddr_conn *)dst;
+
+		memcpy(cookie->laddress, &sconnp->sconn_addr , sizeof(void *));
+		m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, laddress),
+		           (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
+	}
+#endif
 	/*
 	 * split off the signature into its own mbuf (since it should not be
 	 * calculated in the sctp_hmac_m() call).
diff --git a/netwerk/sctp/src/netinet/sctp_output.c b/netwerk/sctp/src/netinet/sctp_output.c
index 49447fa9d..3f1a9525d 100755
--- a/netwerk/sctp/src/netinet/sctp_output.c
+++ b/netwerk/sctp/src/netinet/sctp_output.c
@@ -6492,6 +6492,27 @@ sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
 			  (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
 			  SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
 			  (uint8_t *)signature, SCTP_SIGNATURE_SIZE);
+#if defined(__Userspace__)
+	/*
+	 * Don't put AF_CONN addresses on the wire, in case this is critical
+	 * for the application. However, they are protected by the HMAC and
+	 * need to be reconstructed before checking the HMAC.
+	 * Clearing is only done in the mbuf chain, since the local stc is
+	 * not used anymore.
+	 */
+	if (stc.addr_type == SCTP_CONN_ADDRESS) {
+		const void *p = NULL;
+
+		m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, address),
+		           (int)sizeof(void *), (caddr_t)&p);
+	}
+	if (stc.laddr_type == SCTP_CONN_ADDRESS) {
+		const void *p = NULL;
+
+		m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, laddress),
+		           (int)sizeof(void *), (caddr_t)&p);
+	}
+#endif
 	/*
 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
 	 * here since the timer will drive a retranmission.
diff --git a/netwerk/test/gtest/TestBase64Stream.cpp b/netwerk/test/gtest/TestBase64Stream.cpp
new file mode 100644
index 000000000..37f5cb824
--- /dev/null
+++ b/netwerk/test/gtest/TestBase64Stream.cpp
@@ -0,0 +1,95 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+#include "mozilla/Base64.h"
+#include "nsIInputStream.h"
+
+namespace mozilla {
+namespace net {
+
+// An input stream whose ReadSegments method calls aWriter with writes of size
+// aStep from the provided aInput in order to test edge-cases related to small
+// buffers.
+class TestStream final : public nsIInputStream {
+ public:
+  NS_DECL_ISUPPORTS;
+
+  TestStream(const nsACString& aInput, uint32_t aStep)
+      : mInput(aInput), mStep(aStep) {}
+
+  NS_IMETHOD Close() override { MOZ_CRASH("This should not be called"); }
+
+  NS_IMETHOD Available(uint64_t* aLength) override {
+    *aLength = mInput.Length() - mPos;
+    return NS_OK;
+  }
+
+  NS_IMETHOD Read(char* aBuffer, uint32_t aCount,
+                  uint32_t* aReadCount) override {
+    MOZ_CRASH("This should not be called");
+  }
+
+  NS_IMETHOD ReadSegments(nsWriteSegmentFun aWriter, void* aClosure,
+                          uint32_t aCount, uint32_t* aResult) override {
+    *aResult = 0;
+
+    if (mPos == mInput.Length()) {
+      return NS_OK;
+    }
+
+    while (aCount > 0) {
+      uint32_t amt = std::min(mStep, (uint32_t)(mInput.Length() - mPos));
+
+      uint32_t read = 0;
+      nsresult rv =
+          aWriter(this, aClosure, mInput.get() + mPos, *aResult, amt, &read);
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return rv;
+      }
+
+      *aResult += read;
+      aCount -= read;
+      mPos += read;
+    }
+
+    return NS_OK;
+  }
+
+  NS_IMETHOD IsNonBlocking(bool* aNonBlocking) override {
+    *aNonBlocking = true;
+    return NS_OK;
+  }
+
+ private:
+  ~TestStream() = default;
+
+  nsCString mInput;
+  const uint32_t mStep;
+  uint32_t mPos = 0;
+};
+
+NS_IMPL_ISUPPORTS(TestStream, nsIInputStream)
+
+// Test the base64 encoder with writer buffer sizes between 1 byte and the
+// entire length of "Hello World!" in order to exercise various edge cases.
+TEST(TestBase64Stream, Run)
+{
+  nsCString input;
+  input.AssignLiteral("Hello World!");
+
+  for (uint32_t step = 1; step <= input.Length(); ++step) {
+    RefPtr<TestStream> ts = new TestStream(input, step);
+
+    nsAutoString encodedData;
+    nsresult rv = Base64EncodeInputStream(ts, encodedData, input.Length());
+    ASSERT_TRUE(NS_SUCCEEDED(rv));
+
+    EXPECT_TRUE(encodedData.EqualsLiteral("SGVsbG8gV29ybGQh"));
+  }
+}
+
+}  // namespace net
+}  // namespace mozilla
diff --git a/netwerk/test/gtest/moz.build b/netwerk/test/gtest/moz.build
index 6e6c80152..e463feb65 100644
--- a/netwerk/test/gtest/moz.build
+++ b/netwerk/test/gtest/moz.build
@@ -5,6 +5,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 UNIFIED_SOURCES += [
+    'TestBase64Stream.cpp',
     'TestProtocolProxyService.cpp',
     'TestStandardURL.cpp',
 ]