surprising call of pop3_done() when doing http fuzzing
Date: Mon, 23 Sep 2019 08:52:37 +0200
Hi,
I am using the existing fuzzers in https://github.com/curl/curl-fuzzer.
When working with the http fuzzer, I found to my surprise that the
fuzzing enters the pop3_done() function.
The http fuzzer sets the allowed protocols to HTTP before starting any
transfers. (line 74 in curl_fuzzer.cc, see
https://github.com/curl/curl-fuzzer/blob/da433adbe2b4806588539bd1c4585a1ccb3bb3d6/curl_fuzzer.cc#L74)
Here is test data that makes this happen sporadically:
AAEAAAABQQApAAAACHBvcDM6L3RB
This is base64 encoded, to make a real tlv test case, decode it and feed
it to the fuzzer.
The decoded contents of the test data means this is what happens:
- set hostname to "A"
- set doh url to "pop3:/tA"
- start transferring
I put an assert in the pop3_done() function, and the the stack trace is
shown below.
I am not sure if this is intended behaviour, unless "dns over pop3" is
the new thing :-)
The same thing happens with imap_done.
Paul
INFO: Loaded 1 modules (15554 inline 8-bit counters): 15554 [0x663c6f,
0x667931),
INFO: Loaded 1 PC tables (15554 PCs): 15554 [0x5d8010,0x614c30),
tests/curl_fuzzer_http: Running 1 inputs 1 time(s) each.
Running:
../build-fuzz-clang8-plain-O3/minimized-from-46f6abbb9b2c80fb39b0dfbc24c76559bbe25951
curl_fuzzer_http: ../lib/pop3.c:1121: CURLcode pop3_done(struct
connectdata *, CURLcode, _Bool): Assertion `!"you should not reach
here"' failed.
==24763== ERROR: libFuzzer: deadly signal
#0 0x461def in __sanitizer_print_stack_trace
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x461def)
#1 0x441b3b in fuzzer::PrintStackTrace()
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x441b3b)
#2 0x426be8 in fuzzer::Fuzzer::CrashCallback()
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x426be8)
#3 0x426baf in fuzzer::Fuzzer::StaticCrashSignalCallback()
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x426baf)
#4 0x7f0f8999a72f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1272f)
#5 0x7f0f897d87ba in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x377ba)
#6 0x7f0f897c3534 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22534)
#7 0x7f0f897c340e in __tls_get_addr
(/lib/x86_64-linux-gnu/libc.so.6+0x2240e)
#8 0x7f0f897d1101 in __assert_fail
(/lib/x86_64-linux-gnu/libc.so.6+0x30101)
#9 0x5481b1 in pop3_done
/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/../lib/pop3.c:1121:5
#10 0x474269 in multi_done
/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/../lib/multi.c:556:14
#11 0x47c755 in curl_multi_cleanup
/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/../lib/multi.c:2278:15
#12 0x464813 in fuzz_handle_transfer(fuzz_data*)
/home/paul/code/delaktig/curl-fuzzer/intree_fuzzer/src/networkfuzzers/curl_fuzzer.cc:391:3
#13 0x4635a6 in LLVMFuzzerTestOneInput
/home/paul/code/delaktig/curl-fuzzer/intree_fuzzer/src/networkfuzzers/curl_fuzzer.cc:93:3
#14 0x427f0a in fuzzer::Fuzzer::ExecuteCallback(unsigned char
const*, unsigned long)
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x427f0a)
#15 0x41a84c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long)
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x41a84c)
#16 0x41fcd1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x41fcd1)
#17 0x4422f2 in main
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x4422f2)
#18 0x7f0f897c509a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#19 0x419129 in _start
(/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x419129)
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-09-23