82823 2012-03-30 22:35:57 -0700 [WebSocket]Browser should have platform-specific limitations regarding the frame size 2016-05-18 21:06:18 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All UNCONFIRMED P2 Normal --- 0 li.yin webkit-unassigned abarth ap bashi bfulgham tkent wilander yutak oldest_to_newest 592802 0 li.yin 2012-03-30 22:35:57 -0700 From RFC 6455 http://tools.ietf.org/html/rfc6455#section-10.4 Browser should have platform-specific limitations regarding the frame size. It MUST protect themselves against exceeding those limits. For example, a malicious endpoint can try to exhaust its peer's memory or mount a denial-of-service attack by sending a single big frame (e.g., of size 2**60) 592803 1 134944 li.yin 2012-03-30 22:55:06 -0700 Created attachment 134944 Patch 592806 2 li.yin 2012-03-30 23:46:33 -0700 A malicious endpoint can try to send a long stream of small frames that are a part of a fragmented message, it can exhaust the memory of browser too. I plan to split this case into another bug, do you think it is Okay? 592895 3 134944 ap 2012-03-31 11:21:10 -0700 Comment on attachment 134944 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=134944&action=review > Source/WebCore/ChangeLog:9 > + Protect browser against exhausting its memory, when it reecives a very big Frame(e.g., of size 2**60). Typo: reecives. > Source/WebCore/Modules/websockets/WebSocketChannel.cpp:87 > +// FIXME: frameSizeLimitation should be platform-specific > +const size_t frameSizeLimitation = 500 * 1024 * 1024; This needs an explanation of how each platform would choose the limit. It's not even clear why a hardcoded limit is appropriate. How was this value chosen, for example? 592950 4 li.yin 2012-03-31 17:43:17 -0700 (In reply to comment #3) > > Source/WebCore/Modules/websockets/WebSocketChannel.cpp:87 > > +// FIXME: frameSizeLimitation should be platform-specific > > +const size_t frameSizeLimitation = 500 * 1024 * 1024; > > This needs an explanation of how each platform would choose the limit. It's not even clear why a hardcoded limit is appropriate. How was this value chosen, for example? There is not specific definition about the frameSizeLimitation value in the RFC6455. In fact, there will not a very exact limitation value, it should be related with current free memory. But it will be difficult algorithm if we compute the current free memory. In addition, taking the efficiency into consideration, the most and normal scenarios should not send the big frame, so setting the value just prevent the malicious attack. So I suggest the smaller limitation value will be better. But I have no idea how to check that it is appropriate or not. What is your opinion? 592976 5 ap 2012-04-01 00:09:13 -0700 We should start with what we want to achieve, not how. If there is no practical issue to fix, we should not do anything. Otherwise, let's discuss the issue and its severity first. 592998 6 li.yin 2012-04-01 01:51:26 -0700 (In reply to comment #5) > We should start with what we want to achieve, not how. > > If there is no practical issue to fix, we should not do anything. Otherwise, let's discuss the issue and its severity first. But from RFC 6455, browser MUST protect themselves against exceeding those memory limits. If browser can't allocate the more memory, maybe it will crash. Taking the security into consideration, I think this is still valuable to do it. 593069 7 ap 2012-04-01 12:37:55 -0700 Some easier ways to protect against this would be: 1. Fail gracefully when allocation fails. 2. Allocate memory when data is actually received, not when frame header states that it will be huge (maybe we already do that?) What's complicated about the approach suggested here is that there is no guidance about how to choose the limit on each platform. And the limit should really be the same across platforms for compatibility. It's normal that huge content will cause out of memory situations in the engine. We have no protections against crashing when receiving a multi-gigabyte HTML file, for example. The kind of issues we generally protect against is when a single value somewhere can cause out of memory situations, making for an easy denial of service attack. 593149 8 li.yin 2012-04-01 20:08:39 -0700 (In reply to comment #7) > Some easier ways to protect against this would be: > > 1. Fail gracefully when allocation fails. > 2. Allocate memory when data is actually received, not when frame header states that it will be huge (maybe we already do that?) Yeah, browser used tryFastMalloc function to allocate memory, when it received a single frame whose final bit was set to be 1, which indeed can protect browser against crash. But when browser received a long stream of small frames that are a part of a fragmented message, it used "append" function to add data into Vector<char> m_continuousFrameData, maybe it fail because of no memory, I think using "tryappend" to replace "append" function can protect the browser against crash. Maybe we will need a patch to do that, do you think so? 593486 9 ap 2012-04-02 08:22:17 -0700 > But when browser received a long stream of small frames that are a part of a fragmented message I don't think that this is a case worth protecting against. There is no reason to have complicated out of memory protections in WebSocket code when it's just as easy to crash the browser with a huge HTML file. 134944 2012-03-30 22:55:06 -0700 2012-03-31 11:21:10 -0700 Patch bug-82823-20120401135725.patch text/plain 7654 li.yin U3VidmVyc2lvbiBSZXZpc2lvbjogMTEyNjQ2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggODE2YmE2YWZmMDVmOTli YTA4N2EyN2ViOTkyM2U5OGI1ZWZkOTFjMS4uYzgxNjJkMGU1OTMxOTc5MzU2MjlmZTQ0MjQ5Y2Y0 MmQzNDI3NzU3MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5IEBACisyMDEyLTAzLTMxICBMaSBZ aW4gIDxsaS55aW5AaW50ZWwuY29tPgorCisgICAgICAgIFtXZWJTb2NrZXRdQnJvd3NlciBzaG91 bGQgaGF2ZSBwbGF0Zm9ybS1zcGVjaWZpYyBsaW1pdGF0aW9ucyByZWdhcmRpbmcgdGhlIGZyYW1l IHNpemUKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgy ODIzCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgRnJv bSBSRkM2NDU1OiBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM2NDU1I3NlY3Rpb24tMTAu NAorICAgICAgICBQcm90ZWN0IGJyb3dzZXIgYWdhaW5zdCBleGhhdXN0aW5nIGl0cyBtZW1vcnks IHdoZW4gaXQgcmVlY2l2ZXMgYSB2ZXJ5IGJpZyBGcmFtZShlLmcuLCBvZiBzaXplIDIqKjYwKS4K KworICAgICAgICBUZXN0OiBodHRwL3Rlc3RzL3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rvby1sb25n LXBheWxvYWQuaHRtbAorCisgICAgICAgICogTW9kdWxlcy93ZWJzb2NrZXRzL1dlYlNvY2tldENo YW5uZWwuY3BwOgorICAgICAgICAoV2ViQ29yZSk6CisgICAgICAgIChXZWJDb3JlOjpXZWJTb2Nr ZXRDaGFubmVsOjpwYXJzZUZyYW1lKToKKwogMjAxMi0wMy0zMCAgUGhpbGlwcGUgTm9ybWFuZCAg PHBub3JtYW5kQGlnYWxpYS5jb20+CiAKICAgICAgICAgW0dUS10gV2ViQXVkaW8gY2hhbm5lbFNp emUgaXNzdWUKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL01vZHVsZXMvd2Vic29ja2V0cy9X ZWJTb2NrZXRDaGFubmVsLmNwcCBiL1NvdXJjZS9XZWJDb3JlL01vZHVsZXMvd2Vic29ja2V0cy9X ZWJTb2NrZXRDaGFubmVsLmNwcAppbmRleCAxMDQ4MTNiMGRmNmJhOThiNWMwMWQ5ZjJlM2UwMzEz YzNlNDRmM2I1Li43M2MzNTI5MDJjODc5N2QzMGI3NmRiMGI4ZDFhZmU3YzFkYmEwNDY0IDEwMDY0 NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9Nb2R1bGVzL3dlYnNvY2tldHMvV2ViU29ja2V0Q2hhbm5l bC5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvTW9kdWxlcy93ZWJzb2NrZXRzL1dlYlNvY2tldENo YW5uZWwuY3BwCkBAIC04Myw2ICs4Myw4IEBAIGNvbnN0IHNpemVfdCBtYXhQYXlsb2FkTGVuZ3Ro V2l0aG91dEV4dGVuZGVkTGVuZ3RoRmllbGQgPSAxMjU7CiBjb25zdCBzaXplX3QgcGF5bG9hZExl bmd0aFdpdGhUd29CeXRlRXh0ZW5kZWRMZW5ndGhGaWVsZCA9IDEyNjsKIGNvbnN0IHNpemVfdCBw YXlsb2FkTGVuZ3RoV2l0aEVpZ2h0Qnl0ZUV4dGVuZGVkTGVuZ3RoRmllbGQgPSAxMjc7CiBjb25z dCBzaXplX3QgbWFza2luZ0tleVdpZHRoSW5CeXRlcyA9IDQ7CisvLyBGSVhNRTogZnJhbWVTaXpl TGltaXRhdGlvbiBzaG91bGQgYmUgcGxhdGZvcm0tc3BlY2lmaWMKK2NvbnN0IHNpemVfdCBmcmFt ZVNpemVMaW1pdGF0aW9uID0gNTAwICogMTAyNCAqIDEwMjQ7CiAKIFdlYlNvY2tldENoYW5uZWw6 OldlYlNvY2tldENoYW5uZWwoRG9jdW1lbnQqIGRvY3VtZW50LCBXZWJTb2NrZXRDaGFubmVsQ2xp ZW50KiBjbGllbnQpCiAgICAgOiBtX2RvY3VtZW50KGRvY3VtZW50KQpAQCAtNTk5LDEzICs2MDEs NyBAQCBXZWJTb2NrZXRDaGFubmVsOjpQYXJzZUZyYW1lUmVzdWx0IFdlYlNvY2tldENoYW5uZWw6 OnBhcnNlRnJhbWUoV2ViU29ja2V0RnJhbWUmCiAgICAgICAgIH0KICAgICB9CiAKLSAgICAvLyBG SVhNRTogVUlOVDY0X0MoMHg3RkZGRkZGRkZGRkZGRkZGKSBzaG91bGQgYmUgdXNlZCBidXQgaXQg ZGlkIG5vdCBjb21waWxlIG9uIFF0IGJvdHMuCi0jaWYgQ09NUElMRVIoTVNWQykKLSAgICBzdGF0 aWMgY29uc3QgdWludDY0X3QgbWF4UGF5bG9hZExlbmd0aCA9IDB4N0ZGRkZGRkZGRkZGRkZGRnVp NjQ7Ci0jZWxzZQotICAgIHN0YXRpYyBjb25zdCB1aW50NjRfdCBtYXhQYXlsb2FkTGVuZ3RoID0g MHg3RkZGRkZGRkZGRkZGRkZGdWxsOwotI2VuZGlmCi0gICAgaWYgKHBheWxvYWRMZW5ndGg2NCA+ IG1heFBheWxvYWRMZW5ndGggfHwgcGF5bG9hZExlbmd0aDY0ID4gbnVtZXJpY19saW1pdHM8c2l6 ZV90Pjo6bWF4KCkpIHsKKyAgICBpZiAocGF5bG9hZExlbmd0aDY0ID4gZnJhbWVTaXplTGltaXRh dGlvbikgewogICAgICAgICBmYWlsKCJXZWJTb2NrZXQgZnJhbWUgbGVuZ3RoIHRvbyBsYXJnZTog IiArIFN0cmluZzo6bnVtYmVyKHBheWxvYWRMZW5ndGg2NCkgKyAiIGJ5dGVzIik7CiAgICAgICAg IHJldHVybiBGcmFtZUVycm9yOwogICAgIH0KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5n ZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCA3MGVkNTZjMDNjNjc0NTQ4YWNlYWQx N2IyN2NhNzRjMzYwZjE5MDc1Li45YzM3MjQxODgyOTk4ZGU5NTk1ZTE2MzIwNGNkZjY0M2ZjZjJj MDU0IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMv Q2hhbmdlTG9nCkBAIC0xLDMgKzEsMTggQEAKKzIwMTItMDMtMzEgIExpIFlpbiAgPGxpLnlpbkBp bnRlbC5jb20+CisKKyAgICAgICAgW1dlYlNvY2tldF1Ccm93c2VyIHNob3VsZCBoYXZlIHBsYXRm b3JtLXNwZWNpZmljIGxpbWl0YXRpb25zIHJlZ2FyZGluZyB0aGUgZnJhbWUgc2l6ZQorICAgICAg ICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9ODI4MjMKKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGcm9tIFJGQzY0NTU6IGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzY0NTUjc2VjdGlvbi0xMC40CisgICAgICAgIEJy b3dzZXIgc2hvdWxkIGhhdmUgcGxhdGZvcm0tc3BlY2lmaWMgbGltaXRhdGlvbnMgcmVnYXJkaW5n IHRoZSBmcmFtZSBzaXplLgorCisgICAgICAgICogaHR0cC90ZXN0cy93ZWJzb2NrZXQvdGVzdHMv aHliaS90b28tbG9uZy1wYXlsb2FkLWV4cGVjdGVkLnR4dDoKKyAgICAgICAgKiBodHRwL3Rlc3Rz L3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rvby1sb25nLXBheWxvYWQuaHRtbDoKKyAgICAgICAgKiBo dHRwL3Rlc3RzL3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rvby1sb25nLXBheWxvYWRfd3NoLnB5Ogor ICAgICAgICAod2ViX3NvY2tldF90cmFuc2Zlcl9kYXRhKToKKwogMjAxMi0wMy0zMCAgUGhpbGlw cGUgTm9ybWFuZCAgPHBub3JtYW5kQGlnYWxpYS5jb20+CiAKICAgICAgICAgVW5yZXZpZXdlZCwg R1RLIHJlYmFzZWxpbmUgYWZ0ZXIgcjExMjU4MiBhbmQgcjExMjM5MS4KZGlmZiAtLWdpdCBhL0xh eW91dFRlc3RzL2h0dHAvdGVzdHMvd2Vic29ja2V0L3Rlc3RzL2h5YmkvdG9vLWxvbmctcGF5bG9h ZC1leHBlY3RlZC50eHQgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3dlYnNvY2tldC90ZXN0cy9o eWJpL3Rvby1sb25nLXBheWxvYWQtZXhwZWN0ZWQudHh0CmluZGV4IDkxZTFkMGIyNzJhZGFkM2Ri YmI5MTY0YTA1NWI3NTUzMzdjYmUwNTAuLjE5ZDVjMTk1OTRhNzQ3NzNmNzAzZDg5YWY4MDYyMmRi OGY3ZjliNTUgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvd2Vic29ja2V0L3Rl c3RzL2h5YmkvdG9vLWxvbmctcGF5bG9hZC1leHBlY3RlZC50eHQKKysrIGIvTGF5b3V0VGVzdHMv aHR0cC90ZXN0cy93ZWJzb2NrZXQvdGVzdHMvaHliaS90b28tbG9uZy1wYXlsb2FkLWV4cGVjdGVk LnR4dApAQCAtMSw4ICsxLDE0IEBACiBDT05TT0xFIE1FU1NBR0U6IFdlYlNvY2tldCBmcmFtZSBs ZW5ndGggdG9vIGxhcmdlOiA5MjIzMzcyMDM2ODU0Nzc1ODA4IGJ5dGVzCitDT05TT0xFIE1FU1NB R0U6IFdlYlNvY2tldCBmcmFtZSBsZW5ndGggdG9vIGxhcmdlOiA1MjQyODgwMDEgYnl0ZXMKIFRl c3RzIHdoZXRoZXIgV2ViU29ja2V0IGNvcnJlY3RseSBhYm9ydHMgdGhlIGNvbm5lY3Rpb24gd2hl biBpdCByZWNlaXZlcyBhIGZyYW1lIHdpdGggdG9vIGxvbmcgcGF5bG9hZC4KIAogT24gc3VjY2Vz cywgeW91IHdpbGwgc2VlIGEgc2VyaWVzIG9mICJQQVNTIiBtZXNzYWdlcywgZm9sbG93ZWQgYnkg IlRFU1QgQ09NUExFVEUiLgogCitsZW5ndGhDYXNlOiBtYXhQbGF5bG9hZExlbmd0aCBzdGFydC4K K29ub3BlbigpIHdhcyBjYWxsZWQuCitvbmNsb3NlKCkgd2FzIGNhbGxlZC4KK1BBU1MgY2xvc2VF dmVudC53YXNDbGVhbiBpcyBmYWxzZQorbGVuZ3RoQ2FzZTogbGltaXRQbGF5bG9hZExlbmd0aCBz dGFydC4KIG9ub3BlbigpIHdhcyBjYWxsZWQuCiBvbmNsb3NlKCkgd2FzIGNhbGxlZC4KIFBBU1Mg Y2xvc2VFdmVudC53YXNDbGVhbiBpcyBmYWxzZQpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy93ZWJzb2NrZXQvdGVzdHMvaHliaS90b28tbG9uZy1wYXlsb2FkLmh0bWwgYi9MYXlv dXRUZXN0cy9odHRwL3Rlc3RzL3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rvby1sb25nLXBheWxvYWQu aHRtbAppbmRleCA2YjE0N2IwMzI4YzM5YjAzZWY4ZjM0OTIzYmI0N2UzN2RkOWJhNzM3Li5kZjc5 MDI2ODZkNDM3YmM0ZDc4MTYxNTE4NDdjMTMyODI4ZWE2OTk5IDEwMDY0NAotLS0gYS9MYXlvdXRU ZXN0cy9odHRwL3Rlc3RzL3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rvby1sb25nLXBheWxvYWQuaHRt bAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rvby1s b25nLXBheWxvYWQuaHRtbApAQCAtMTMsMjcgKzEzLDQyIEBAIHdpbmRvdy5qc1Rlc3RJc0FzeW5j ID0gdHJ1ZTsKIGlmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpCiAgICAgbGF5b3V0VGVz dENvbnRyb2xsZXIub3ZlcnJpZGVQcmVmZXJlbmNlKCJXZWJLaXRIaXhpZTc2V2ViU29ja2V0UHJv dG9jb2xFbmFibGVkIiwgMCk7CiAKLXZhciB3cyA9IG5ldyBXZWJTb2NrZXQoIndzOi8vMTI3LjAu MC4xOjg4ODAvd2Vic29ja2V0L3Rlc3RzL2h5YmkvdG9vLWxvbmctcGF5bG9hZCIpOwordmFyIGxl bmd0aENhc2UgPSBbIm1heFBsYXlsb2FkTGVuZ3RoIiwgImxpbWl0UGxheWxvYWRMZW5ndGgiXTsK KwogdmFyIGNsb3NlRXZlbnQ7CiAKLXdzLm9ub3BlbiA9IGZ1bmN0aW9uKCkKK2Z1bmN0aW9uIGRv VGVzdChpbmRleCkKIHsKLSAgICBkZWJ1Zygib25vcGVuKCkgd2FzIGNhbGxlZC4iKTsKLX07Cisg ICAgdmFyIHVybCA9ICJ3czovLzEyNy4wLjAuMTo4ODgwL3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rv by1sb25nLXBheWxvYWQ/bGVuZ3RoQ2FzZT0iICsgbGVuZ3RoQ2FzZVtpbmRleF07CisgICAgdmFy IHdzID0gbmV3IFdlYlNvY2tldCh1cmwpOwogCi13cy5vbm1lc3NhZ2UgPSBmdW5jdGlvbihldmVu dCkKLXsKLSAgICB2YXIgbWVzc2FnZSA9IGV2ZW50LmRhdGE7Ci0gICAgdGVzdEZhaWxlZCgib25t ZXNzYWdlKCkgd2FzIGNhbGxlZC4gKG1lc3NhZ2UgPSBcIiIgKyBtZXNzYWdlICsgIlwiKSIpOwot fTsKKyAgICBkZWJ1ZygibGVuZ3RoQ2FzZTogIiArIGxlbmd0aENhc2VbaW5kZXhdICsgIiBzdGFy dC4iKTsKIAotd3Mub25jbG9zZSA9IGZ1bmN0aW9uKGV2ZW50KQotewotICAgIGRlYnVnKCJvbmNs b3NlKCkgd2FzIGNhbGxlZC4iKTsKLSAgICBjbG9zZUV2ZW50ID0gZXZlbnQ7Ci0gICAgc2hvdWxk QmVGYWxzZSgiY2xvc2VFdmVudC53YXNDbGVhbiIpOwotICAgIGZpbmlzaEpTVGVzdCgpOwotfTsK KyAgICB3cy5vbm9wZW4gPSBmdW5jdGlvbigpCisgICAgeworICAgICAgICBkZWJ1Zygib25vcGVu KCkgd2FzIGNhbGxlZC4iKTsKKyAgICB9OworCisgICAgd3Mub25tZXNzYWdlID0gZnVuY3Rpb24o ZXZlbnQpCisgICAgeworICAgICAgICB2YXIgbWVzc2FnZSA9IGV2ZW50LmRhdGE7CisgICAgICAg IHRlc3RGYWlsZWQoIm9ubWVzc2FnZSgpIHdhcyBjYWxsZWQuIChtZXNzYWdlID0gXCIiICsgbWVz c2FnZSArICJcIikiKTsKKyAgICB9OworCisgICAgd3Mub25jbG9zZSA9IGZ1bmN0aW9uKGV2ZW50 KQorICAgIHsKKyAgICAgICAgZGVidWcoIm9uY2xvc2UoKSB3YXMgY2FsbGVkLiIpOworICAgICAg ICBjbG9zZUV2ZW50ID0gZXZlbnQ7CisgICAgICAgIHNob3VsZEJlRmFsc2UoImNsb3NlRXZlbnQu d2FzQ2xlYW4iKTsKKyAgICAgICAgaWYgKGluZGV4ID09PSBsZW5ndGhDYXNlLmxlbmd0aCAtIDEp IHsKKyAgICAgICAgICAgIGZpbmlzaEpTVGVzdCgpOworICAgICAgICAgICAgcmV0dXJuOworICAg ICAgICB9CisgICAgICAgIGRvVGVzdChpbmRleCArIDEpOworICAgIH07Cit9CisKK2RvVGVzdCgw KTsKIAogPC9zY3JpcHQ+CiA8c2NyaXB0IHNyYz0iLi4vLi4vLi4vLi4vanMtdGVzdC1yZXNvdXJj ZXMvanMtdGVzdC1wb3N0LmpzIj48L3NjcmlwdD4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0 dHAvdGVzdHMvd2Vic29ja2V0L3Rlc3RzL2h5YmkvdG9vLWxvbmctcGF5bG9hZF93c2gucHkgYi9M YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3dlYnNvY2tldC90ZXN0cy9oeWJpL3Rvby1sb25nLXBheWxv YWRfd3NoLnB5CmluZGV4IDVlY2RhMzQ4YTA2MTM2ZGMyOWU1MDI3NTVmOThlYzg5OTZjNmIzNDUu LjI3ZDI1YzQzMThmZTk1ODM2MjRlYjQ4YWZiYTZlZWEzMTgyZjI2ZTkgMTAwNjQ0Ci0tLSBhL0xh eW91dFRlc3RzL2h0dHAvdGVzdHMvd2Vic29ja2V0L3Rlc3RzL2h5YmkvdG9vLWxvbmctcGF5bG9h ZF93c2gucHkKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy93ZWJzb2NrZXQvdGVzdHMvaHli aS90b28tbG9uZy1wYXlsb2FkX3dzaC5weQpAQCAtMSw2ICsxLDggQEAKIGltcG9ydCBzdHJ1Y3QK IGltcG9ydCB0aW1lCitpbXBvcnQgcmUKIGZyb20gbW9kX3B5d2Vic29ja2V0IGltcG9ydCBjb21t b24KK2Zyb20gbW9kX3B5d2Vic29ja2V0IGltcG9ydCBzdHJlYW0KIAogCiBkZWYgd2ViX3NvY2tl dF9kb19leHRyYV9oYW5kc2hha2UocmVxdWVzdCk6CkBAIC04LDcgKzEwLDE2IEBAIGRlZiB3ZWJf c29ja2V0X2RvX2V4dHJhX2hhbmRzaGFrZShyZXF1ZXN0KToKIAogCiBkZWYgd2ViX3NvY2tldF90 cmFuc2Zlcl9kYXRhKHJlcXVlc3QpOgotICAgIGxlbmd0aCA9IDB4ODAwMDAwMDAwMDAwMDAwMAor ICAgIG1hdGNoID0gcmUuc2VhcmNoKHInXD9sZW5ndGhDYXNlPShcdyspJCcsIHJlcXVlc3Qud3Nf cmVzb3VyY2UpCisgICAgaWYgbWF0Y2ggaXMgTm9uZToKKyAgICAgICAgbXNndXRpbC5zZW5kX21l c3NhZ2UocmVxdWVzdCwgJ0ZBSUw6IFF1ZXJ5IHZhbHVlIGlzIGluY29ycmVjdCBvciBtaXNzaW5n JykKKyAgICAgICAgcmV0dXJuCisKKyAgICBsZW5ndGhDYXNlID0gbWF0Y2guZ3JvdXAoMSkKKyAg ICBpZiBsZW5ndGhDYXNlID09ICJtYXhQbGF5bG9hZExlbmd0aCI6CisgICAgICAgIGxlbmd0aCA9 IDB4ODAwMDAwMDAwMDAwMDAwMAorICAgIGVsc2U6CisgICAgICAgIGxlbmd0aCA9IDUwMCAqIDEw MjQgKiAxMDI0ICsgMQogCiAgICAgIyBweXdlYnNvY2tldCByZWZ1c2VzIHRvIHNlbmQgYSBmcmFt ZSB3aXRoIHRvbyBsb25nIHBheWxvYWQuCiAgICAgIyBUaHVzLCB3ZSBuZWVkIHRvIGJ1aWxkIGEg ZnJhbWUgbWFudWFsbHkuCg==