This is a issue from fuzzing test, but it's not a security issue.
To repro the issue, consume the attached file and build HttpContent by code:
public bool ConsumeFuzzedFile(string fuzzedFile, ExceptionTracker exceptionTracker)
{
bool result = true;
string contentType = "multipart/mixed;boundary=x";
string content;
using (var reader = new StreamReader(fuzzedFile))
{
content = reader.ReadToEnd();
}
var newLineIndex = content.IndexOf(Environment.NewLine);
if (newLineIndex > 0)
{
var firstLine = content.Substring(0, newLineIndex);
if (firstLine.StartsWith("Content-Type:"))
{
contentType = firstLine.Replace("Content-Type:", string.Empty).Trim();
content = content.Substring(newLineIndex + Environment.NewLine.Length);
}
}
var httpContent = new StringContent(content);
MediaTypeHeaderValue contentTypeHeader;
if (MediaTypeHeaderValue.TryParse(contentType, out contentTypeHeader))
{
httpContent.Headers.ContentType = contentTypeHeader;
}
try
{
httpContent.ReadAsMultipartAsync().Wait();
}
catch (AggregateException e)
{
if (e.InnerExceptions != null)
{
foreach (Exception inner in e.InnerExceptions)
{
result &= exceptionTracker.TryAddException(fuzzedFile, inner);
}
}
}
catch (Exception ex)
{
result = exceptionTracker.TryAddException(fuzzedFile, ex);
}
return result;
}
The exception detail is:
System.NullReferenceException
Fuzzed file: MimeMultipartBodyPartParser\D1\FuzzedFiles\MimeMultipartBodyPartParser_11-0.txt
Stack trace: at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextSegmentAsync>d__13.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 199
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 169
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136
System.InvalidOperationException
Fuzzed file: MimeMultipartBodyPartParser\D2\FuzzedFiles\MimeMultipartBodyPartParser_13-0.txt
Stack trace: at System.Net.Http.Formatting.Parsers.MimeMultipartBodyPartParser.<ParseBuffer>d__0.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\Formatting\Parsers\MimeMultipartBodyPartParser.cs:line 166
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 166
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136
Fuzzed file: MimeMultipartBodyPartParser\D3\FuzzedFiles\MimeMultipartBodyPartParser_13-0.txt
Stack trace: at System.Net.Http.Formatting.Parsers.MimeMultipartBodyPartParser.<ParseBuffer>d__0.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\Formatting\Parsers\MimeMultipartBodyPartParser.cs:line 166
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 166
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136
Fuzzed file: MimeMultipartBodyPartParser\D8\FuzzedFiles\MimeMultipartBodyPartParser_13-0.txt
Stack trace: at System.Net.Http.Formatting.Parsers.MimeMultipartBodyPartParser.<ParseBuffer>d__0.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\Formatting\Parsers\MimeMultipartBodyPartParser.cs:line 166
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 166
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136
To repro the issue, consume the attached file and build HttpContent by code:
public bool ConsumeFuzzedFile(string fuzzedFile, ExceptionTracker exceptionTracker)
{
bool result = true;
string contentType = "multipart/mixed;boundary=x";
string content;
using (var reader = new StreamReader(fuzzedFile))
{
content = reader.ReadToEnd();
}
var newLineIndex = content.IndexOf(Environment.NewLine);
if (newLineIndex > 0)
{
var firstLine = content.Substring(0, newLineIndex);
if (firstLine.StartsWith("Content-Type:"))
{
contentType = firstLine.Replace("Content-Type:", string.Empty).Trim();
content = content.Substring(newLineIndex + Environment.NewLine.Length);
}
}
var httpContent = new StringContent(content);
MediaTypeHeaderValue contentTypeHeader;
if (MediaTypeHeaderValue.TryParse(contentType, out contentTypeHeader))
{
httpContent.Headers.ContentType = contentTypeHeader;
}
try
{
httpContent.ReadAsMultipartAsync().Wait();
}
catch (AggregateException e)
{
if (e.InnerExceptions != null)
{
foreach (Exception inner in e.InnerExceptions)
{
result &= exceptionTracker.TryAddException(fuzzedFile, inner);
}
}
}
catch (Exception ex)
{
result = exceptionTracker.TryAddException(fuzzedFile, ex);
}
return result;
}
The exception detail is:
System.NullReferenceException
Fuzzed file: MimeMultipartBodyPartParser\D1\FuzzedFiles\MimeMultipartBodyPartParser_11-0.txt
Stack trace: at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextSegmentAsync>d__13.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 199
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 169
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136
System.InvalidOperationException
Fuzzed file: MimeMultipartBodyPartParser\D2\FuzzedFiles\MimeMultipartBodyPartParser_13-0.txt
Stack trace: at System.Net.Http.Formatting.Parsers.MimeMultipartBodyPartParser.<ParseBuffer>d__0.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\Formatting\Parsers\MimeMultipartBodyPartParser.cs:line 166
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 166
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136
Fuzzed file: MimeMultipartBodyPartParser\D3\FuzzedFiles\MimeMultipartBodyPartParser_13-0.txt
Stack trace: at System.Net.Http.Formatting.Parsers.MimeMultipartBodyPartParser.<ParseBuffer>d__0.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\Formatting\Parsers\MimeMultipartBodyPartParser.cs:line 166
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 166
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136
Fuzzed file: MimeMultipartBodyPartParser\D8\FuzzedFiles\MimeMultipartBodyPartParser_13-0.txt
Stack trace: at System.Net.Http.Formatting.Parsers.MimeMultipartBodyPartParser.<ParseBuffer>d__0.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\Formatting\Parsers\MimeMultipartBodyPartParser.cs:line 166
at System.Net.Http.HttpContentMultipartExtensions.<MoveToNextPartAsync>d__f.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 166
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<MultipartReadAsync>d__9.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 160
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpContentMultipartExtensions.<ReadAsMultipartAsync>d__0`1.MoveNext() in e:\dd\DevDiv\Offcycle\WPT\WebStackRuntime\runtime\src\System.Net.Http.Formatting\HttpContentMultipartExtensions.cs:line 136