You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by as...@apache.org on 2018/07/30 16:34:56 UTC
[2/8] qpid-proton git commit: PROTON-1903: Bug found by OSS Fuzz
project - Avoid calling pn_transport_capacity() during protocol processing,
as it can reallocate the data buffer thus invalidating the data pointer
PROTON-1903: Bug found by OSS Fuzz project
- Avoid calling pn_transport_capacity() during protocol processing, as it can
reallocate the data buffer thus invalidating the data pointer
OSS-Fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8305
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/88fed8a9
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/88fed8a9
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/88fed8a9
Branch: refs/heads/master
Commit: 88fed8a9abe341ccc3cfaa3e7b871dc0489df3bc
Parents: f48f4c5
Author: Andrew Stitcher <as...@apache.org>
Authored: Sun Jul 29 00:02:20 2018 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Mon Jul 30 11:35:09 2018 -0400
----------------------------------------------------------------------
c/src/core/transport.c | 9 +++------
c/src/sasl/sasl.c | 11 ++++++++---
.../fuzz-connection-driver/crash/5972719047802880 | Bin 0 -> 16384 bytes
3 files changed, 11 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/88fed8a9/c/src/core/transport.c
----------------------------------------------------------------------
diff --git a/c/src/core/transport.c b/c/src/core/transport.c
index dde4b37..ae00773 100644
--- a/c/src/core/transport.c
+++ b/c/src/core/transport.c
@@ -271,7 +271,7 @@ void pn_set_error_layer(pn_transport_t *transport)
ssize_t pn_io_layer_input_autodetect(pn_transport_t *transport, unsigned int layer, const char *bytes, size_t available)
{
const char* error;
- bool eos = pn_transport_capacity(transport)==PN_EOS;
+ bool eos = transport->tail_closed;
if (eos && available==0) {
pn_do_error(transport, "amqp:connection:framing-error", "No valid protocol header found");
pn_set_error_layer(transport);
@@ -2533,7 +2533,7 @@ static void pn_error_amqp(pn_transport_t* transport, unsigned int layer)
static ssize_t pn_input_read_amqp_header(pn_transport_t* transport, unsigned int layer, const char* bytes, size_t available)
{
- bool eos = pn_transport_capacity(transport)==PN_EOS;
+ bool eos = transport->tail_closed;
pni_protocol_type_t protocol = pni_sniff_header(bytes, available);
switch (protocol) {
case PNI_PROTOCOL_AMQP1:
@@ -2575,10 +2575,7 @@ static ssize_t pn_input_read_amqp(pn_transport_t* transport, unsigned int layer,
ssize_t n = pn_dispatcher_input(transport, bytes, available, true, &transport->halt);
- if (n < 0) {
- //return pn_error_set(transport->error, n, "dispatch error");
- return PN_EOS;
- } else if (transport->close_rcvd) {
+ if (n < 0 || transport->close_rcvd) {
return PN_EOS;
} else {
return n;
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/88fed8a9/c/src/sasl/sasl.c
----------------------------------------------------------------------
diff --git a/c/src/sasl/sasl.c b/c/src/sasl/sasl.c
index 125c06d..8366116 100644
--- a/c/src/sasl/sasl.c
+++ b/c/src/sasl/sasl.c
@@ -541,7 +541,7 @@ static void pn_error_sasl(pn_transport_t* transport, unsigned int layer)
static ssize_t pn_input_read_sasl_header(pn_transport_t* transport, unsigned int layer, const char* bytes, size_t available)
{
- bool eos = pn_transport_capacity(transport)==PN_EOS;
+ bool eos = transport->tail_closed;
pni_protocol_type_t protocol = pni_sniff_header(bytes, available);
switch (protocol) {
case PNI_PROTOCOL_AMQP_SASL:
@@ -581,7 +581,7 @@ static ssize_t pn_input_read_sasl(pn_transport_t* transport, unsigned int layer,
{
pni_sasl_t *sasl = transport->sasl;
- bool eos = pn_transport_capacity(transport)==PN_EOS;
+ bool eos = transport->tail_closed;
if (eos) {
pn_do_error(transport, "amqp:connection:framing-error", "connection aborted");
pn_set_error_layer(transport);
@@ -591,7 +591,12 @@ static ssize_t pn_input_read_sasl(pn_transport_t* transport, unsigned int layer,
pni_sasl_start_server_if_needed(transport);
if (!pni_sasl_is_final_input_state(sasl)) {
- return pn_dispatcher_input(transport, bytes, available, false, &transport->halt);
+ ssize_t n = pn_dispatcher_input(transport, bytes, available, false, &transport->halt);
+ if (n < 0 || transport->close_rcvd) {
+ return PN_EOS;
+ } else {
+ return n;
+ }
}
if (!pni_sasl_is_final_output_state(sasl)) {
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/88fed8a9/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880
----------------------------------------------------------------------
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880 b/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880
new file mode 100644
index 0000000..a8d08ef
Binary files /dev/null and b/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880 differ
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org