Hi, On Wed, Dec 07, 2016 at 04:51:36PM +0500, ???????? ?????????????? wrote: > at least, I recall this commit > https://github.com/OpenVPN/openvpn/commit/0d8da22ae36d5efd03fba36c1d783b907589e321
*That* commit is "the 2.3.6 release", but I see what you mean. > it used to crash on simple tcp connect (after immediate disconnect), it was > reproducible to running login/password authentication mode > > it might have been caught by fuzz testing. I should point out that this was not a "crash" but an "openvpn detects invalid input and ASSERT()s out -> well-defined program exit". Not exactly *friendly* behaviour (and stupid, in this case), but not a *crash*. But that's exactly why fuzzing openvpn is hard: we detect bad stuff, and in doubt, we ASSERT() - which is well-defined behaviour, not "crashing randomly, possibly in a way that can be exploited to get access to security critical bits" > > Anyway - so what's necessary to make this google fuzz testing work? Do > > we instrument our code, or just tell them "hey, here's a useful piece > > of software, go figure it out yourself"? > > we can start with PR to > https://github.com/google/oss-fuzz/tree/master/projects > it must been done by someone from "OpenVPN" github organization. OK, that would then be Samuli, David or me, I think. We'll investigate... > if google machinery will not figure out anything, it might be long way with > libfuzz-helpers (if we implement such helpers, we can add them to cmoka and > travis-ci) Indeed, but that would be "we have to do it", which nobody seems to have time right now. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
