From 5dd8c03b3a30847cdc6351554e6f35d4bcc2f6e5 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 5 Aug 2022 12:10:52 +0200 Subject: [PATCH] Do not accept too long inputs that fill socket buffers There are long-standing issues with fuzzing, which cause the send() not writing all the provided bytes and causing the fuzzer driver to crash. This can be simply solved by limiting the input size to reasonably large value. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21967 Signed-off-by: Jakub Jelen Reviewed-by: Andreas Schneider --- tests/fuzz/ssh_client_fuzzer.c | 8 ++++++++ tests/fuzz/ssh_server_fuzzer.c | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/tests/fuzz/ssh_client_fuzzer.c b/tests/fuzz/ssh_client_fuzzer.c index 2e3a0da6..304b038c 100644 --- a/tests/fuzz/ssh_client_fuzzer.c +++ b/tests/fuzz/ssh_client_fuzzer.c @@ -94,6 +94,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) bool no = false; int rc; + /* This is the maximum that can be handled by the socket buffer before the + * other side will read some data. Other option would be feeding the socket + * from different thread which would not mind if it would be blocked, but I + * believe all the important inputs should fit into this size */ + if (size > 219264) { + return -1; + } + /* Set up the socket to send data */ rc = socketpair(AF_UNIX, SOCK_STREAM, 0, socket_fds); assert(rc == 0); diff --git a/tests/fuzz/ssh_server_fuzzer.c b/tests/fuzz/ssh_server_fuzzer.c index 2d830cfc..c20ae373 100644 --- a/tests/fuzz/ssh_server_fuzzer.c +++ b/tests/fuzz/ssh_server_fuzzer.c @@ -139,6 +139,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) .channel_open_request_session_function = channel_open, }; + /* This is the maximum that can be handled by the socket buffer before the + * other side will read some data. Other option would be feeding the socket + * from different thread which would not mind if it would be blocked, but I + * believe all the important inputs should fit into this size */ + if (size > 219264) { + return -1; + } + /* Write SSH RSA host key to disk */ rc = write_rsa_hostkey("/tmp/libssh_fuzzer_private_key"); assert(rc == 0);