Closed
Bug 1373843
Opened 7 years ago
Closed 7 years ago
Add a fuzztest for STUN parsing
Categories
(Core :: WebRTC: Networking, enhancement, P3)
Core
WebRTC: Networking
Tracking
()
RESOLVED
FIXED
mozilla57
People
(Reporter: drno, Assigned: dminor)
Details
(Keywords: meta, sec-other, Whiteboard: [adv-main57-][post-critsmash-triage])
Attachments
(3 files, 1 obsolete file)
3.26 KB,
patch
|
decoder
:
review+
|
Details | Diff | Splinter Review |
1.41 KB,
patch
|
drno
:
review+
|
Details | Diff | Splinter Review |
1.02 KB,
patch
|
posidron
:
review+
|
Details | Diff | Splinter Review |
Let's add a libfuzzer test for fuzzing the STUN parser in nICEr as the first step. Note: marking this as security to be on the safe side until we know if we are going to find any problems with it.
Reporter | ||
Comment 1•7 years ago
|
||
Dan this is the libfuzzer test for nICEr's STUN parsing function I have come up with. I have been running this now for several hours on my Linux desktop machine, without any major finding so far.
Updated•7 years ago
|
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → dminor
Updated•7 years ago
|
Summary: Add a fuzztest for STUN parsing → [meta] Add a fuzztest for STUN parsing
Comment 2•7 years ago
|
||
Mass change P3->P4 to align with new Mozilla triage process.
Priority: P2 → P3
Comment 3•7 years ago
|
||
Nils can we land this so it can run in our fuzzing cloud?
Flags: needinfo?(drno)
Assignee | ||
Comment 4•7 years ago
|
||
I don't have anything in my notes to remind me of what else we wanted to do here. The attached patch still applies and builds cleanly. Nils, please let me know what the next steps are here and I'd be happy to pick this up again.
Reporter | ||
Comment 5•7 years ago
|
||
I know the other fuzz client I wrote http://searchfox.org/mozilla-central/source/media/webrtc/signaling/fuzztest landed with some problems, which got fixed after it landed. Maybe double check that I did not made the same mistakes here. And then we only need to find someone for review.
Flags: needinfo?(drno)
Assignee | ||
Comment 6•7 years ago
|
||
The original patch was missing some build system integration; now builds and runs fine on my local system.
Attachment #8878704 -
Attachment is obsolete: true
Attachment #8909312 -
Flags: review?(choller)
Assignee | ||
Updated•7 years ago
|
Status: NEW → ASSIGNED
Comment 7•7 years ago
|
||
Comment on attachment 8909312 [details] [diff] [review] Fuzz stun parser Looks good to me. Before landing this, please confirm that it doesn't hit bugs immediately. We wouldn't want to 0-day ourselves :D
Attachment #8909312 -
Flags: review?(choller) → review+
Assignee | ||
Comment 8•7 years ago
|
||
I'll run it overnight and see what happens. So far, I've only hit an assertion which could be changed to be an error.
Assignee | ||
Comment 9•7 years ago
|
||
Attachment #8909945 -
Flags: review?(drno)
Reporter | ||
Comment 10•7 years ago
|
||
Comment on attachment 8909945 [details] [diff] [review] Change assert to error in stun_codec.c Review of attachment 8909945 [details] [diff] [review]: ----------------------------------------------------------------- With an update error message: LGTM ::: media/mtransport/third_party/nICEr/src/stun/stun_codec.c @@ +737,5 @@ > header->length = htons(length); > > /* make sure FINGERPRINT is final attribute in message */ > + if (length + sizeof(*header) != buflen) { > + r_log(NR_LOG_STUN, LOG_WARNING, "Unable to compute fingerprint"); Lets change the text here to something about the fingerprint not being at the end of the message, so we can distinguish from the next error one down.
Attachment #8909945 -
Flags: review?(drno) → review+
Assignee | ||
Comment 11•7 years ago
|
||
I left this to run overnight without finding anything more.
Assignee | ||
Comment 12•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/34ddff9dde50 https://hg.mozilla.org/integration/mozilla-inbound/rev/94f776f0a816
Assignee | ||
Updated•7 years ago
|
Rank: 25
Summary: [meta] Add a fuzztest for STUN parsing → Add a fuzztest for STUN parsing
Assignee | ||
Comment 13•7 years ago
|
||
Attachment #8910484 -
Flags: review?(cdiehl)
Comment 14•7 years ago
|
||
Comment on attachment 8910484 [details] [diff] [review] Set nicer.gyp cflags for fuzzing Yup. I recall we had similar issues as we tried to land the SdpParser fuzzer.
Attachment #8910484 -
Flags: review?(cdiehl) → review+
Assignee | ||
Comment 15•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/51711f2c9cae02483300eaaf12badc73a39e24b1
Comment 16•7 years ago
|
||
Successfully running in our cloud. Thanks!
https://hg.mozilla.org/mozilla-central/rev/34ddff9dde50 https://hg.mozilla.org/mozilla-central/rev/94f776f0a816
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Comment 18•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/51711f2c9cae
Flags: in-testsuite+
Updated•7 years ago
|
Updated•7 years ago
|
Group: media-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [adv-main57-]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main57-] → [adv-main57-][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•