Do not accept too long inputs that fill socket buffers

There are long-standing issues with fuzzing, which cause the send() not writing all the provided bytes and causing the fuzzer driver to crash. This can be simply solved by limiting the input size to reasonably large value. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21967 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2025-07-29 13:01:13 +03:00 · 2022-08-05 12:10:52 +02:00
parent 33bcd8e81c
commit 5dd8c03b3a
2 changed files with 16 additions and 0 deletions
--- a/tests/fuzz/ssh_server_fuzzer.c
+++ b/tests/fuzz/ssh_server_fuzzer.c
@ -139,6 +139,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        .channel_open_request_session_function = channel_open,
    };

+    /* This is the maximum that can be handled by the socket buffer before the
+     * other side will read some data. Other option would be feeding the socket
+     * from different thread which would not mind if it would be blocked, but I
+     * believe all the important inputs should fit into this size */
+    if (size > 219264) {
+        return -1;
+    }
+
    /* Write SSH RSA host key to disk */
    rc = write_rsa_hostkey("/tmp/libssh_fuzzer_private_key");
    assert(rc == 0);