diff options
| author | Neil Horman <nhorman@openssl.org> | 2024-07-09 21:43:56 +0200 |
|---|---|---|
| committer | Neil Horman <nhorman@openssl.org> | 2024-07-23 14:20:15 +0200 |
| commit | 4f619ca622b6c36626ddc9a04b0b8589d7802dc0 (patch) | |
| tree | 1dd840c8c4300d428ecd3d2a030d0a6c15d579dd | |
| parent | unnecessary whitespace before a quoted newline (diff) | |
| download | openssl-4f619ca622b6c36626ddc9a04b0b8589d7802dc0.tar.xz openssl-4f619ca622b6c36626ddc9a04b0b8589d7802dc0.zip | |
Ensure cmd from fuzz buffer is always valid
The quic-srtm fuzzer uses a loop in which an integer command is
extracted from the fuzzer buffer input to determine the action to take,
switching on the values between 0 and 3, and ignoring all other
commands. Howver in the failing fuzzer test case here:
https://oss-fuzz.com/testcase-detail/5618331942977536
The buffer provided shows a large number of 0 values (indicating an SRTM
add command), and almost no 1, 2, or 3 values. As such, the fuzzer only
truly exercises the srtm add path, which has the side effect of growing
the SRTM hash table unboundedly, leading to a timeout when 10 entries
need to be iterated over when the hashtable doall command is executed.
Fix this by ensuring that the command is always valid, and reasonably
distributed among all the operations with some modulo math.
Introducing this change bounds the hash table size in the reproducer
test case to less than half of the initially observed size, and avoids
the timeout.
Fixes openssl/project#679
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24827)
| -rw-r--r-- | fuzz/quic-srtm.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/fuzz/quic-srtm.c b/fuzz/quic-srtm.c index eb676c2279..13fdaace0a 100644 --- a/fuzz/quic-srtm.c +++ b/fuzz/quic-srtm.c @@ -36,9 +36,12 @@ enum { CMD_ADD, CMD_REMOVE, CMD_CULL, - CMD_LOOKUP + CMD_LOOKUP, + CMD_MAX }; +#define MAX_CMDS 10000 + int FuzzerTestOneInput(const uint8_t *buf, size_t len) { int rc = 0; @@ -47,6 +50,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) unsigned int cmd; uint64_t arg_opaque, arg_seq_num, arg_idx; QUIC_STATELESS_RESET_TOKEN arg_token; + size_t limit = 0; if ((srtm = ossl_quic_srtm_new(NULL, NULL)) == NULL) { rc = -1; @@ -60,7 +64,12 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) if (!PACKET_get_1(&pkt, &cmd)) goto err; - switch (cmd) { + if (++limit > MAX_CMDS) { + rc = 0; + goto err; + } + + switch (cmd % CMD_MAX) { case CMD_ADD: if (!PACKET_get_net_8(&pkt, &arg_opaque) || !PACKET_get_net_8(&pkt, &arg_seq_num) @@ -108,6 +117,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) } } + rc = 0; err: ossl_quic_srtm_free(srtm); return rc; |