Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl:curl_fuzzer_rtsp: ASSERT: blen == 0 #12701

Closed
bagder opened this issue Jan 14, 2024 · 2 comments
Closed

curl:curl_fuzzer_rtsp: ASSERT: blen == 0 #12701

bagder opened this issue Jan 14, 2024 · 2 comments
Assignees
@icing
Labels
RTSP

Comments

@bagder
Copy link
Member

bagder commented Jan 14, 2024
edited

I did this

The curl fuzzer reached an assert. Introduced in d7b6ce6


  | +----------------------------------------Release Build Stacktrace----------------------------------------+
-- | --
  | Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b557b55fe6aee3248cae088eab2fc98246d15b9f47d13e37a45a58554e2crash
  | Time ran: 0.046141624450683594
  |  
  | INFO: Running with entropic power schedule (0xFF, 100).
  | INFO: Seed: 2812897356
  | INFO: Loaded 1 modules   (125695 inline 8-bit counters): 125695 [0x146cd80, 0x148b87f),
  | INFO: Loaded 1 PC tables (125695 PCs): 125695 [0x148b880,0x1676870),
  | /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp: Running 1 inputs 100 time(s) each.
  | Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b557b55fe6aee3248cae088eab2fc98246d15b9f47d13e37a45a58554e2crash
  | curl_fuzzer_rtsp: rtsp.c:844: CURLcode rtsp_rtp_write_resp(struct Curl_easy *, const char *, size_t, _Bool, _Bool *): Assertion `blen == 0' failed.
  | ==152899== ERROR: libFuzzer: deadly signal
  | #0 0x53a831 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
  | #1 0x459348 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
  | #2 0x43e023 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
  | #3 0x7df9c56c141f in libpthread.so.0
  | #4 0x7df9c538400a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/internal-signals.h:86:3
  | #5 0x7df9c538400a in raise /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:48:3
  | #6 0x7df9c5363858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
  | #7 0x7df9c5363728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3
  | #8 0x7df9c5374fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3
  | #9 0x6d739d in rtsp_rtp_write_resp curl/lib/rtsp.c:844:3
  | #10 0x5dd287 in Curl_xfer_write_resp curl/lib/transfer.c:1687:14
  | #11 0x5dd287 in readwrite_data curl/lib/transfer.c:534:14
  | #12 0x5dd287 in Curl_readwrite curl/lib/transfer.c:921:14
  | #13 0x5a6d7e in multi_runsingle curl/lib/multi.c:2483:16
  | #14 0x5a36c9 in curl_multi_perform curl/lib/multi.c:2780:16
  | #15 0x56f2a2 in fuzz_handle_transfer(fuzz_data*) curl_fuzzer/curl_fuzzer.cc:419:5
  | #16 0x56e0f9 in LLVMFuzzerTestOneInput curl_fuzzer/curl_fuzzer.cc:97:3
  | #17 0x43f5c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
  | #18 0x42ad22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
  | #19 0x4305cc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
  | #20 0x459b02 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #21 0x7df9c5365082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  | #22 0x420eed in _start
  |  
  | NOTE: libFuzzer has rudimentary signal handlers.
  | Combine libFuzzer with AddressSanitizer or similar for better crash reports.
  | SUMMARY: libFuzzer: deadly signal
  |  
  |  
  | +----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
  |  
  | curl_fuzzer_rtsp: rtsp.c:844: CURLcode rtsp_rtp_write_resp(struct Curl_easy *, const char *, size_t, _Bool, _Bool *): Assertion `blen == 0' failed.
  | ==152899== ERROR: libFuzzer: deadly signal
  | #0 0x53a831  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x53a831)
  | #1 0x459348  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x459348)
  | #2 0x43e023  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x43e023)
  | #3 0x7df9c56c141f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
  | #4 0x7df9c538400a  (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
  | #5 0x7df9c5363858  (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
  | #6 0x7df9c5363728  (/lib/x86_64-linux-gnu/libc.so.6+0x22728) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
  | #7 0x7df9c5374fd5  (/lib/x86_64-linux-gnu/libc.so.6+0x33fd5) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
  | #8 0x6d739d  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x6d739d)
  | #9 0x5dd287  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x5dd287)
  | #10 0x5a6d7e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x5a6d7e)
  | #11 0x5a36c9  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x5a36c9)
  | #12 0x56f2a2  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x56f2a2)
  | #13 0x56e0f9  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x56e0f9)
  | #14 0x43f5c3  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x43f5c3)
  | #15 0x42ad22  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x42ad22)
  | #16 0x4305cc  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x4305cc)
  | #17 0x459b02  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x459b02)
  | #18 0x7df9c5365082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
  | #19 0x420eed  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x420eed)

</div>Original Stacktrace on revision d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551 (65 lines)
	+----------------------------------------Release Build Stacktrace----------------------------------------+
	Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b557b55fe6aee3248cae088eab2fc98246d15b9f47d13e37a45a58554e2crash
	Time ran: 0.046141624450683594
	
	INFO: Running with entropic power schedule (0xFF, 100).
	INFO: Seed: 2812897356
	INFO: Loaded 1 modules   (125695 inline 8-bit counters): 125695 [0x146cd80, 0x148b87f),
	INFO: Loaded 1 PC tables (125695 PCs): 125695 [0x148b880,0x1676870),
	/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp: Running 1 inputs 100 time(s) each.
	Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/b557b55fe6aee3248cae088eab2fc98246d15b9f47d13e37a45a58554e2crash
	curl_fuzzer_rtsp: rtsp.c:844: CURLcode rtsp_rtp_write_resp(struct Curl_easy *, const char *, size_t, _Bool, _Bool *): Assertion `blen == 0' failed.
	==152899== ERROR: libFuzzer: deadly signal
	    #0 0x53a831 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
	    #1 0x459348 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
	    #2 0x43e023 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
	    #3 0x7df9c56c141f in libpthread.so.0
	    #4 0x7df9c538400a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/internal-signals.h:86:3
	    #5 0x7df9c538400a in raise /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:48:3
	    #6 0x7df9c5363858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
	    #7 0x7df9c5363728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3
	    #8 0x7df9c5374fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3
	    #9 0x6d739d in rtsp_rtp_write_resp [curl/lib/rtsp.c:844](https://github.com/curl/curl/blob/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551/lib/rtsp.c#L844):3
	    #10 0x5dd287 in Curl_xfer_write_resp [curl/lib/transfer.c:1687](https://github.com/curl/curl/blob/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551/lib/transfer.c#L1687):14
	    #11 0x5dd287 in readwrite_data [curl/lib/transfer.c:534](https://github.com/curl/curl/blob/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551/lib/transfer.c#L534):14
	    #12 0x5dd287 in Curl_readwrite [curl/lib/transfer.c:921](https://github.com/curl/curl/blob/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551/lib/transfer.c#L921):14
	    #13 0x5a6d7e in multi_runsingle [curl/lib/multi.c:2483](https://github.com/curl/curl/blob/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551/lib/multi.c#L2483):16
	    #14 0x5a36c9 in curl_multi_perform [curl/lib/multi.c:2780](https://github.com/curl/curl/blob/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551/lib/multi.c#L2780):16
	    #15 0x56f2a2 in fuzz_handle_transfer(fuzz_data*) [curl_fuzzer/curl_fuzzer.cc:419](https://github.com/curl/curl-fuzzer/blob/b94de48b46994153794a6d3c991c4edf822a02d7/curl_fuzzer.cc#L419):5
	    #16 0x56e0f9 in LLVMFuzzerTestOneInput [curl_fuzzer/curl_fuzzer.cc:97](https://github.com/curl/curl-fuzzer/blob/b94de48b46994153794a6d3c991c4edf822a02d7/curl_fuzzer.cc#L97):3
	    #17 0x43f5c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	    #18 0x42ad22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	    #19 0x4305cc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	    #20 0x459b02 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #21 0x7df9c5365082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
	    #22 0x420eed in _start
	
	NOTE: libFuzzer has rudimentary signal handlers.
	      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
	SUMMARY: libFuzzer: deadly signal
	
	
	+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
	
	curl_fuzzer_rtsp: rtsp.c:844: CURLcode rtsp_rtp_write_resp(struct Curl_easy *, const char *, size_t, _Bool, _Bool *): Assertion `blen == 0' failed.
	==152899== ERROR: libFuzzer: deadly signal
	    #0 0x53a831  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x53a831)
	    #1 0x459348  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x459348)
	    #2 0x43e023  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x43e023)
	    #3 0x7df9c56c141f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
	    #4 0x7df9c538400a  (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
	    #5 0x7df9c5363858  (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
	    #6 0x7df9c5363728  (/lib/x86_64-linux-gnu/libc.so.6+0x22728) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
	    #7 0x7df9c5374fd5  (/lib/x86_64-linux-gnu/libc.so.6+0x33fd5) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
	    #8 0x6d739d  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x6d739d)
	    #9 0x5dd287  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x5dd287)
	    #10 0x5a6d7e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x5a6d7e)
	    #11 0x5a36c9  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x5a36c9)
	    #12 0x56f2a2  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x56f2a2)
	    #13 0x56e0f9  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x56e0f9)
	    #14 0x43f5c3  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x43f5c3)
	    #15 0x42ad22  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x42ad22)
	    #16 0x4305cc  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x4305cc)
	    #17 0x459b02  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x459b02)
	    #18 0x7df9c5365082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
	    #19 0x420eed  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_curl_d1a7f12cc2e5055727a9c66d5eca203f3c8f5a6c/revisions/curl_fuzzer_rtsp+0x420eed)

I expected the following

Happy fuzzer

curl/libcurl version

git master

operating system

it runs on Linux but I doubt it matters
@bagder bagder added the RTSP label Jan 14, 2024
@cmeister2
Copy link
Contributor

Input:

TLVHeader(type='CURLOPT_URL' (1), length=10, data=b'RTSP:/\xff\xff\xff\xff')
TLVHeader(type='Server response 1' (17), length=39, data=b'RTSP/7.1 786          \n\nRTSP/          ')

icing added a commit to icing/curl that referenced this issue Jan 15, 2024
@icing
rtsp, deal better with borked server responses
a62cc5d 
- refs curl#12701
- enforce a response body length of 0, if the
  response has no Content-lenght. This is according
  to the RTSP spec.
- excess bytes in a response body are forwarded to
  the client writers which will report and fail the
  transfer
@icing icing mentioned this issue Jan 15, 2024
Closed
@icing
Copy link
Contributor

icing commented Jan 15, 2024

Let's see if #12706 helps.

@bagder bagder closed this as completed in 036eb15 Jan 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@icing icing

Labels
RTSP
Milestone
No milestone
Development

No branches or pull requests
3 participants
@icing @bagder @cmeister2