You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by as...@apache.org on 2018/07/30 16:34:56 UTC

[2/8] qpid-proton git commit: PROTON-1903: Bug found by OSS Fuzz project - Avoid calling pn_transport_capacity() during protocol processing, as it can reallocate the data buffer thus invalidating the data pointer

PROTON-1903: Bug found by OSS Fuzz project
- Avoid calling pn_transport_capacity() during protocol processing, as it can
  reallocate the data buffer thus invalidating the data pointer

OSS-Fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8305


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/88fed8a9
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/88fed8a9
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/88fed8a9

Branch: refs/heads/master
Commit: 88fed8a9abe341ccc3cfaa3e7b871dc0489df3bc
Parents: f48f4c5
Author: Andrew Stitcher <as...@apache.org>
Authored: Sun Jul 29 00:02:20 2018 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Mon Jul 30 11:35:09 2018 -0400

----------------------------------------------------------------------
 c/src/core/transport.c                             |   9 +++------
 c/src/sasl/sasl.c                                  |  11 ++++++++---
 .../fuzz-connection-driver/crash/5972719047802880  | Bin 0 -> 16384 bytes
 3 files changed, 11 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/88fed8a9/c/src/core/transport.c
----------------------------------------------------------------------
diff --git a/c/src/core/transport.c b/c/src/core/transport.c
index dde4b37..ae00773 100644
--- a/c/src/core/transport.c
+++ b/c/src/core/transport.c
@@ -271,7 +271,7 @@ void pn_set_error_layer(pn_transport_t *transport)
 ssize_t pn_io_layer_input_autodetect(pn_transport_t *transport, unsigned int layer, const char *bytes, size_t available)
 {
   const char* error;
-  bool eos = pn_transport_capacity(transport)==PN_EOS;
+  bool eos = transport->tail_closed;
   if (eos && available==0) {
     pn_do_error(transport, "amqp:connection:framing-error", "No valid protocol header found");
     pn_set_error_layer(transport);
@@ -2533,7 +2533,7 @@ static void pn_error_amqp(pn_transport_t* transport, unsigned int layer)
 
 static ssize_t pn_input_read_amqp_header(pn_transport_t* transport, unsigned int layer, const char* bytes, size_t available)
 {
-  bool eos = pn_transport_capacity(transport)==PN_EOS;
+  bool eos = transport->tail_closed;
   pni_protocol_type_t protocol = pni_sniff_header(bytes, available);
   switch (protocol) {
   case PNI_PROTOCOL_AMQP1:
@@ -2575,10 +2575,7 @@ static ssize_t pn_input_read_amqp(pn_transport_t* transport, unsigned int layer,
 
 
   ssize_t n = pn_dispatcher_input(transport, bytes, available, true, &transport->halt);
-  if (n < 0) {
-    //return pn_error_set(transport->error, n, "dispatch error");
-    return PN_EOS;
-  } else if (transport->close_rcvd) {
+  if (n < 0 || transport->close_rcvd) {
     return PN_EOS;
   } else {
     return n;

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/88fed8a9/c/src/sasl/sasl.c
----------------------------------------------------------------------
diff --git a/c/src/sasl/sasl.c b/c/src/sasl/sasl.c
index 125c06d..8366116 100644
--- a/c/src/sasl/sasl.c
+++ b/c/src/sasl/sasl.c
@@ -541,7 +541,7 @@ static void pn_error_sasl(pn_transport_t* transport, unsigned int layer)
 
 static ssize_t pn_input_read_sasl_header(pn_transport_t* transport, unsigned int layer, const char* bytes, size_t available)
 {
-  bool eos = pn_transport_capacity(transport)==PN_EOS;
+  bool eos = transport->tail_closed;
   pni_protocol_type_t protocol = pni_sniff_header(bytes, available);
   switch (protocol) {
   case PNI_PROTOCOL_AMQP_SASL:
@@ -581,7 +581,7 @@ static ssize_t pn_input_read_sasl(pn_transport_t* transport, unsigned int layer,
 {
   pni_sasl_t *sasl = transport->sasl;
 
-  bool eos = pn_transport_capacity(transport)==PN_EOS;
+  bool eos = transport->tail_closed;
   if (eos) {
     pn_do_error(transport, "amqp:connection:framing-error", "connection aborted");
     pn_set_error_layer(transport);
@@ -591,7 +591,12 @@ static ssize_t pn_input_read_sasl(pn_transport_t* transport, unsigned int layer,
   pni_sasl_start_server_if_needed(transport);
 
   if (!pni_sasl_is_final_input_state(sasl)) {
-    return pn_dispatcher_input(transport, bytes, available, false, &transport->halt);
+    ssize_t n = pn_dispatcher_input(transport, bytes, available, false, &transport->halt);
+    if (n < 0 || transport->close_rcvd) {
+      return PN_EOS;
+    } else {
+      return n;
+    }
   }
 
   if (!pni_sasl_is_final_output_state(sasl)) {

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/88fed8a9/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880
----------------------------------------------------------------------
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880 b/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880
new file mode 100644
index 0000000..a8d08ef
Binary files /dev/null and b/c/tests/fuzz/fuzz-connection-driver/crash/5972719047802880 differ


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org