This is an automated email from the ASF dual-hosted git repository.
astitcher pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git
The following commit(s) were added to refs/heads/main by this push:
new e2137ca PROTON-2503: Stop ignoring received framing errors discovered
by fuzzer
e2137ca is described below
commit e2137cab7bd891666e390a65e7e89a77f3029ff1
Author: Andrew Stitcher <[email protected]>
AuthorDate: Tue Feb 22 18:02:01 2022 -0500
PROTON-2503: Stop ignoring received framing errors discovered by fuzzer
---
c/src/core/consumers.h | 6 +++---
c/src/sasl/sasl.c | 4 ++--
.../fuzz-connection-driver/crash/leak-5052013914750976 | Bin 0 -> 114 bytes
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/c/src/core/consumers.h b/c/src/core/consumers.h
index b4140e8..2f20cba 100644
--- a/c/src/core/consumers.h
+++ b/c/src/core/consumers.h
@@ -539,13 +539,13 @@ static inline bool consume_descriptor(pni_consumer_t*
consumer, pni_consumer_t *
if (!pni_consumer_readf8(consumer, &type)) return false;
switch (type) {
case PNE_DESCRIPTOR: {
- bool lq = consume_ulong(consumer, descriptor);
+ if (!consume_ulong(consumer, descriptor)) return false;
size_t sposition = consumer->position;
uint8_t type;
- consume_single_value_not_described(consumer, &type);
+ if (!consume_single_value_not_described(consumer, &type)) return false;
size_t scsize = consumer->position > sposition ?
consumer->position-sposition : 0;
*subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+sposition, .position=0,
.size=scsize};
- return lq;
+ return true;
}
default:
pni_consumer_skip_value_not_described(consumer, type);
diff --git a/c/src/sasl/sasl.c b/c/src/sasl/sasl.c
index 09a3496..1fc16a9 100644
--- a/c/src/sasl/sasl.c
+++ b/c/src/sasl/sasl.c
@@ -946,7 +946,7 @@ int pn_do_mechanisms(pn_transport_t *transport, uint8_t
frame_type, uint16_t cha
switch (element_type) {
case PNE_SYM8:
while (element_count) {
- pni_consumer_readv8(&subconsumer, &symbol);
+ if (!pni_consumer_readv8(&subconsumer, &symbol)) break;
if (pni_sasl_client_included_mech(sasl->included_mechanisms,
symbol)) {
pn_string_addf(mechs, "%.*s ", (int)symbol.size, symbol.start);
}
@@ -955,7 +955,7 @@ int pn_do_mechanisms(pn_transport_t *transport, uint8_t
frame_type, uint16_t cha
break;
case PNE_SYM32:
while (element_count) {
- pni_consumer_readv32(&subconsumer, &symbol);
+ if (!pni_consumer_readv32(&subconsumer, &symbol)) break;
if (pni_sasl_client_included_mech(sasl->included_mechanisms,
symbol)) {
pn_string_addf(mechs, "%.*s ", (int)symbol.size, symbol.start);
}
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/leak-5052013914750976
b/c/tests/fuzz/fuzz-connection-driver/crash/leak-5052013914750976
new file mode 100644
index 0000000..1c9e3df
Binary files /dev/null and
b/c/tests/fuzz/fuzz-connection-driver/crash/leak-5052013914750976 differ
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
