Added fuzzer for msgpack #224
Conversation
|
Asserts in a library are bad. It is my bad specifically in this case. I'll look into that. |
|
I have fixed these two asserts. I have not checked memory usage yet. |
| struct ucl_parser *parser; | ||
|
|
||
| ucl_object_t *obj = ucl_object_new_full (UCL_OBJECT, 2); | ||
| obj->type = UCL_OBJECT; |
There was a problem hiding this comment.
Here is your leak btw. Why do you create this object that never got used/accessed or freed?
|
Ok, I have found your leak source. |
|
Great catch with the object, thanks a lot! Awesome with the two assertions. The fuzzer aborts from more assertions in ucl_msgpack. From a fuzzing-point-of-view, it would be best to get rid of all of them. I will be glad to continue the work you did with the assertions today and write the rest into if-statements that throw an ucl_create_err in case they fail. Are you open to such an improvement to ucl_msgpack? |
|
Yes, sure. Asserts should not happen because of the bad input - it should merely be a sign of library misuse. Msgpack part of libucl is not very mature tbh... |
2 participants
A couple of notes on this fuzzer:
1: It runs out of memory fairly quickly (about 20-30 seconds). To me it looks like everything is freed as it should be, but if that is not the case, I will appreciate any observations.
2: There are 2 assertions that make the fuzzer stop altogether. The one is line 1304:
libucl/src/ucl_msgpack.c
Lines 1301 to 1306 in e03e0bc
If you see a way to not trigger it, please let me know. We could free parser->stack manually and add a return statement just above it to not stop the fuzzer.
The second is on line 1047:
libucl/src/ucl_msgpack.c
Lines 1033 to 1049 in e03e0bc
Depending on what the logic is here, it might not be able to avoid it. If you have a suggestion to not abort here, do let me know.
In either case, we don’t need to change the code in the repository. We would make a temporary fix when running the fuzzers. Nevertheless, I would like to be sure that we don’t divert from the logic of the application.
It would be great if we could find a solution, as the fuzzer does find an off-by-one in ucl_msgpack.c, and it covers a large part of the ucl_msgpack.c code.