From patchwork Wed Oct 10 09:12:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bhargava Shastry X-Patchwork-Id: 981764 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sect.tu-berlin.de Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42VSzd6xptz9sB7 for ; Wed, 10 Oct 2018 20:12:29 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 8748C899; Wed, 10 Oct 2018 09:12:26 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0C9E17FC for ; Wed, 10 Oct 2018 09:12:25 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail.sec.t-labs.tu-berlin.de (mail.sec.t-labs.tu-berlin.de [130.149.230.43]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id 4ED644DA for ; Wed, 10 Oct 2018 09:12:23 +0000 (UTC) From: bshastry@sect.tu-berlin.de To: dev@openvswitch.org Date: Wed, 10 Oct 2018 11:12:15 +0200 Message-Id: <20181010091215.7940-1-bshastry@sect.tu-berlin.de> X-Mailer: git-send-email 2.17.1 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bhargava Shastry Subject: [ovs-dev] [PATCH] ossfuzz: Bug fix in odp and expr parse targets X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org From: Bhargava Shastry This patch fixes a bug in the following test harnesses - odp_target.c - expr_parse_target.c The bug is as follows: We expect the fuzzed input to be a C string that does not contain a new line character. This is because, the test code in OvS is built on expecting string to not have a newline character (see for instance, calls to ds_get_line() in test-odp.c etc.). The way we ensure fuzzed data is such a C string is as follows: - Check size > 1 AND - Check data[size - 1] is '\0' (NUL termination) AND - Check that there is no '\n' in the C string that starts at data The third check is implemented using strchr. Our earlier logic was that, were the C string to contain '\n', strchr would have a non-zero return that can then be used to bail out early. The problem with this logic is that it does not consider the corner case when data actually points to two or more C strings, like so: \x01\x00\x0a\0x00 For this data sequence, strchr correctly returns "there is no newline character" (in the first C string that is part of the sequence). But the data that is eventually passed to the fuzzed API is the entire sequence of strings that may contain a new line in between. This patch fixes the bug by adding an additional check: - Check length of C string pointed to by data is actually equal to one less than (due to NUL termination) size. This ensures that we are passing one and only one C string not containing new line character to the fuzzed APIs. Signed-off-by: Bhargava Shastry --- tests/oss-fuzz/expr_parse_target.c | 3 ++- tests/oss-fuzz/odp_target.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/oss-fuzz/expr_parse_target.c b/tests/oss-fuzz/expr_parse_target.c index d72ad40c4..ca739012c 100644 --- a/tests/oss-fuzz/expr_parse_target.c +++ b/tests/oss-fuzz/expr_parse_target.c @@ -436,7 +436,8 @@ LLVMFuzzerTestOneInput(const uint8_t *input_, size_t size) { /* Bail out if we cannot construct at least a 1 char string. */ const char *input = (const char *) input_; - if (size < 2 || input[size - 1] != '\0' || strchr(input, '\n')) { + if (size < 2 || input[size - 1] != '\0' || strchr(input, '\n') || + (strlen(input) != size - 1)) { return 0; } diff --git a/tests/oss-fuzz/odp_target.c b/tests/oss-fuzz/odp_target.c index 93231bde3..b185174f6 100644 --- a/tests/oss-fuzz/odp_target.c +++ b/tests/oss-fuzz/odp_target.c @@ -125,7 +125,8 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* Bail out if we cannot construct at least a 1 char string. */ const char *input = (const char *) data; - if (size < 2 || input[size - 1] != '\0' || strchr(input, '\n')) { + if (size < 2 || input[size - 1] != '\0' || strchr(input, '\n') || + (strlen(input) != size - 1)) { return 0; }