Retropex/bitcoin
1
0
Fork 0
mirror of https://github.com/Retropex/bitcoin.git synced 2025-05-20 15:10:46 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

[fuzz] Make peeking through FuzzedSock::Recv fuzzer friendly

Browse Source 
FuzzedSock only supports peeking at one byte at a time, which is not
fuzzer friendly when trying to receive long data.

Fix this by supporting peek data of arbitrary length instead of only one
byte.
This commit is contained in:
dergoegge 2024-05-31 12:49:13 +01:00
parent 865cdf3692
commit a7fceda68b
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/test/fuzz/util/net.cpp
View File

@ -193,16 +193,16 @@ ssize_t FuzzedSock::Recv(void* buf, size_t len, int flags) const
bool pad_to_len_bytes{m_fuzzed_data_provider.ConsumeBool()}; bool pad_to_len_bytes{m_fuzzed_data_provider.ConsumeBool()};
if (m_peek_data.has_value()) { if (m_peek_data.has_value()) {
// `MSG_PEEK` was used in the preceding `Recv()` call, return `m_peek_data`. // `MSG_PEEK` was used in the preceding `Recv()` call, return `m_peek_data`.
random_bytes.assign({m_peek_data.value()}); random_bytes = m_peek_data.value();
if ((flags & MSG_PEEK) == 0) { if ((flags & MSG_PEEK) == 0) {
m_peek_data.reset(); m_peek_data.reset();
} }
pad_to_len_bytes = false; pad_to_len_bytes = false;
} else if ((flags & MSG_PEEK) != 0) { } else if ((flags & MSG_PEEK) != 0) {
// New call with `MSG_PEEK`. // New call with `MSG_PEEK`.
random_bytes = m_fuzzed_data_provider.ConsumeBytes<uint8_t>(1); random_bytes = ConsumeRandomLengthByteVector(m_fuzzed_data_provider, len);
if (!random_bytes.empty()) { if (!random_bytes.empty()) {
m_peek_data = random_bytes[0]; m_peek_data = random_bytes;
pad_to_len_bytes = false; pad_to_len_bytes = false;
} }
} else { } else {
@ -215,7 +215,11 @@ ssize_t FuzzedSock::Recv(void* buf, size_t len, int flags) const
} }
return r; return r;
} }
std::memcpy(buf, random_bytes.data(), random_bytes.size()); // `random_bytes` might exceed the size of `buf` if e.g. Recv is called with
// len=N and MSG_PEEK first and afterwards called with len=M (M < N) and
// without MSG_PEEK.
size_t recv_len{std::min(random_bytes.size(), len)};
std::memcpy(buf, random_bytes.data(), recv_len);
if (pad_to_len_bytes) { if (pad_to_len_bytes) {
if (len > random_bytes.size()) { if (len > random_bytes.size()) {
std::memset((char*)buf + random_bytes.size(), 0, len - random_bytes.size()); std::memset((char*)buf + random_bytes.size(), 0, len - random_bytes.size());
@ -225,7 +229,7 @@ ssize_t FuzzedSock::Recv(void* buf, size_t len, int flags) const
if (m_fuzzed_data_provider.ConsumeBool() && std::getenv("FUZZED_SOCKET_FAKE_LATENCY") != nullptr) { if (m_fuzzed_data_provider.ConsumeBool() && std::getenv("FUZZED_SOCKET_FAKE_LATENCY") != nullptr) {
std::this_thread::sleep_for(std::chrono::milliseconds{2}); std::this_thread::sleep_for(std::chrono::milliseconds{2});
} }
return random_bytes.size(); return recv_len;
} }
int FuzzedSock::Connect(const sockaddr*, socklen_t) const int FuzzedSock::Connect(const sockaddr*, socklen_t) const

2
src/test/fuzz/util/net.h
View File

@ -43,7 +43,7 @@ class FuzzedSock : public Sock
* If `MSG_PEEK` is used, then our `Recv()` returns some random data as usual, but on the next * If `MSG_PEEK` is used, then our `Recv()` returns some random data as usual, but on the next
* `Recv()` call we must return the same data, thus we remember it here. * `Recv()` call we must return the same data, thus we remember it here.
*/ */
mutable std::optional<uint8_t> m_peek_data; mutable std::optional<std::vector<uint8_t>> m_peek_data;
/** /**
* Whether to pretend that the socket is select(2)-able. This is randomly set in the * Whether to pretend that the socket is select(2)-able. This is randomly set in the