diff options
| author | Jeffrey Kardatzke <jkardatzke@google.com> | 2019-11-05 13:51:26 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2019-11-06 22:37:25 +0000 |
| commit | c53fe7810a12dbe5f1210e41cee6456302256288 (patch) | |
| tree | acb863d830b87757f4d5c99944d52618e1b22f9c | |
| parent | b53333d25be58ca9d9803423f0ab0ec75079d345 (diff) | |
| download | platform_external_libbrillo-c53fe7810a12dbe5f1210e41cee6456302256288.tar.gz platform_external_libbrillo-c53fe7810a12dbe5f1210e41cee6456302256288.tar.bz2 platform_external_libbrillo-c53fe7810a12dbe5f1210e41cee6456302256288.zip | |
libbrillo: Fix fuzzer recursion bug in http_form_data_fuzzer
Add a stack depth limit when building the multipart form fields to
prevent crashing in the fuzzer on stack depth. Switching to iterative
isn't an ideal solution because the libbrillo code is recursive as well
and it does not seem worthwhile to make that iterative.
BUG=chromium:1017809
TEST=Test case no longer crashes
Change-Id: Id5b886390be36538ff38103addef643cc1fd8573
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1900316
Tested-by: Jeffrey Kardatzke <jkardatzke@google.com>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>
Commit-Queue: Jeffrey Kardatzke <jkardatzke@google.com>
Cr-Mirrored-From: https://chromium.googlesource.com/chromiumos/platform2
Cr-Mirrored-Commit: b9302f6f119e7e85009392ba9bd5aac0766274d6
| -rw-r--r-- | brillo/http/http_form_data_fuzzer.cc | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/brillo/http/http_form_data_fuzzer.cc b/brillo/http/http_form_data_fuzzer.cc index f5ae4b7..f73a89f 100644 --- a/brillo/http/http_form_data_fuzzer.cc +++ b/brillo/http/http_form_data_fuzzer.cc @@ -15,6 +15,7 @@ namespace { constexpr int kRandomDataMaxLength = 64; +constexpr int kMaxRecursionDepth = 256; std::unique_ptr<brillo::http::TextFormField> CreateTextFormField( FuzzedDataProvider* data_provider) { @@ -39,7 +40,7 @@ std::unique_ptr<brillo::http::FileFormField> CreateFileFormField( } std::unique_ptr<brillo::http::MultiPartFormField> CreateMultipartFormField( - FuzzedDataProvider* data_provider) { + FuzzedDataProvider* data_provider, int depth) { std::unique_ptr<brillo::http::MultiPartFormField> multipart_field = std::make_unique<brillo::http::MultiPartFormField>( data_provider->ConsumeRandomLengthString(kRandomDataMaxLength), @@ -57,9 +58,13 @@ std::unique_ptr<brillo::http::MultiPartFormField> CreateMultipartFormField( // Add a random file field to the form. multipart_field->AddCustomField(CreateFileFormField(data_provider)); } - if (data_provider->ConsumeBool()) { + // Limit our recursion depth. We could make this part of our code iterative, + // but that won't help because in libbrillo we use recursion to generate the + // stream so we would hit a stack depth limit there as well. + if (depth < kMaxRecursionDepth && data_provider->ConsumeBool()) { // Add a random multipart form field to the form. - multipart_field->AddCustomField(CreateMultipartFormField(data_provider)); + multipart_field->AddCustomField( + CreateMultipartFormField(data_provider, depth + 1)); } } @@ -100,7 +105,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { } if (data_provider.ConsumeBool()) { // Add a random multipart form field to the form. - form_data.AddCustomField(CreateMultipartFormField(&data_provider)); + form_data.AddCustomField(CreateMultipartFormField(&data_provider, 0)); } } |