You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by as...@apache.org on 2018/07/30 16:35:02 UTC

[8/8] qpid-proton git commit: PROTON-1903: Bug found by OSS Fuzz project - Don't go off into the weeds if our peer tries to set the disposition of arbirtrary sequence nos.

PROTON-1903: Bug found by OSS Fuzz project
- Don't go off into the weeds if our peer tries to set the disposition of arbirtrary
  sequence nos.

OSS-Fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8307


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/d722f7df
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/d722f7df
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/d722f7df

Branch: refs/heads/master
Commit: d722f7df5c714074b07cd803cbd6406edca4b40c
Parents: 9fbd8ab
Author: Andrew Stitcher <as...@apache.org>
Authored: Mon Jul 30 12:20:57 2018 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Mon Jul 30 12:20:57 2018 -0400

----------------------------------------------------------------------
 c/src/core/transport.c                               |   9 ++++++---
 .../fuzz-connection-driver/crash/5092805675319296    | Bin 0 -> 186 bytes
 2 files changed, 6 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/d722f7df/c/src/core/transport.c
----------------------------------------------------------------------
diff --git a/c/src/core/transport.c b/c/src/core/transport.c
index b47f680..106a2c8 100644
--- a/c/src/core/transport.c
+++ b/c/src/core/transport.c
@@ -1659,12 +1659,15 @@ int pn_do_disposition(pn_transport_t *transport, uint8_t frame_type, uint16_t ch
   bool remote_data = (pn_data_next(transport->disp_data) &&
                       pn_data_get_list(transport->disp_data) > 0);
 
-  // TODO: We need to clamp the first & last values here to the actual first and last unsettled
-  // Otherwise we could just be told to process any old sequence.
+  // Do some validation of received first and last values
+  // TODO: We should really also clamp the first value here, but we're not keeping track of the earliest
+  // unsettled delivery sequence no
+  last = sequence_lte(last, deliveries->next) ? last : deliveries->next;
+  first = sequence_lte(first, last) ? first : last;
   for (pn_sequence_t id = first; sequence_lte(id, last); ++id) {
     pn_delivery_t *delivery = pni_delivery_map_get(deliveries, id);
-    pn_disposition_t *remote = &delivery->remote;
     if (delivery) {
+      pn_disposition_t *remote = &delivery->remote;
       if (type_init) remote->type = type;
       if (remote_data) {
         switch (type) {

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/d722f7df/c/tests/fuzz/fuzz-connection-driver/crash/5092805675319296
----------------------------------------------------------------------
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/5092805675319296 b/c/tests/fuzz/fuzz-connection-driver/crash/5092805675319296
new file mode 100644
index 0000000..f460869
Binary files /dev/null and b/c/tests/fuzz/fuzz-connection-driver/crash/5092805675319296 differ


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org