fuzz: limit the maximum size of test inputs for a few parsers

We have a few cases or reported issues which are about a timeout to parse the input in 25 s. In all cases, the input is a few hundred kb. We don't really care if the config parsers are super efficent, so let's set a limit on the input size to avoid triggering such issues. The parsers often contain quadratic algorithms. This is OK, because the numbers of elements are almost always very small in real use. Rewriting the code to use more complicated data structures to speed this up would not only complicate the code, but also pessimize behaviour for the overwhelmingly common case of small samples. Note that in all those cases, the input data is trusted. We care about memory correctness, and not not so much about efficiency. The size checks are done twice: using options for libfuzzer, and using an internal check for afl. Those should be changed together. I didn't use a define, because there is no easy mechanism to share the define between the two files.
2019-03-12 17:48:06 +01:00 · 2019-03-12 17:48:06 +01:00 · 0fb729282b
parent 6d632d00ed
commit 0fb729282b
6 changed files with 13 additions and 1 deletions
--- a/src/fuzz/fuzz-env-file.c
+++ b/src/fuzz/fuzz-env-file.c
@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_strv_free_ char **rl = NULL, **rlp =  NULL;

-        if (size == 0)
+        if (size == 0 || size > 65535)
                return 0;

        f = fmemopen((char*) data, size, "re");
--- a/src/fuzz/fuzz-env-file.options
+++ b/src/fuzz/fuzz-env-file.options
@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
--- a/src/network/fuzz-network-parser.c
+++ b/src/network/fuzz-network-parser.c
@ -11,6 +11,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_(unlink_tempfilep) char network_config[] = "/tmp/fuzz-networkd.XXXXXX";

+        if (size > 65535)
+                return 0;
+
        if (!getenv("SYSTEMD_LOG_LEVEL"))
                log_set_max_level(LOG_CRIT);

--- a/src/network/fuzz-network-parser.options
+++ b/src/network/fuzz-network-parser.options
@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
--- a/src/udev/net/fuzz-link-parser.c
+++ b/src/udev/net/fuzz-link-parser.c
@ -11,6 +11,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-link-config.XXXXXX";
        _cleanup_fclose_ FILE *f = NULL;

+        if (size > 65535)
+                return 0;
+
        if (!getenv("SYSTEMD_LOG_LEVEL"))
                log_set_max_level(LOG_CRIT);

--- a/src/udev/net/fuzz-link-parser.options
+++ b/src/udev/net/fuzz-link-parser.options
@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535