Uploaded image for project: 'AMQ Clients'
  1. AMQ Clients
  2. ENTMQCL-840

[c] Infinite loop in pn_do_disposition on invalid input received

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 2.3.0.B2
    • 2.2.0.GA
    • proton-c
    • Hide

      Compile proton, run with the attached testcase.

      c/tests/fuzz/fuzz-connection-driver clusterfuzz-testcase-minimized-fuzz-connection-driver-5118747114209280
      Show
      Compile proton, run with the attached testcase. c/tests/fuzz/fuzz-connection-driver clusterfuzz-testcase-minimized-fuzz-connection-driver-5118747114209280
    • Irving

      In a debugger, I observed the code looping between the following lines. Here, last is 0, id gets to become a very large number (2657203455 when I looked), and delivery is always a nullptr, so the if is skipped and the loop runs again.

        for (pn_sequence_t id = first; sequence_lte(id, last); ++id) {
    pn_delivery_t *delivery = pni_delivery_map_get(deliveries, id);
    if (delivery) {

      Found by OSS-Fuzz, at https://oss-fuzz.com/v2/testcase-detail/5118747114209280

      ALARM: working on the last Unit for 25 seconds
and the timeout value is 25 (use -timeout=N to change)
==1== ERROR: libFuzzer: timeout after 25 seconds
#0 0x46da93 in __sanitizer_print_stack_trace /src/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29
#1 0x4ab476 in fuzzer::PrintStackTrace() /src/libfuzzer/FuzzerUtil.cpp:206:5
#2 0x4b8455 in fuzzer::Fuzzer::AlarmCallback() /src/libfuzzer/FuzzerLoop.cpp:300:5
#3 0x7f4a01ec238f in libpthread.so.0
#4 0x4a7f93 in AddValueModPrime /src/libfuzzer/FuzzerValueBitMap.h:45:27
#5 0x4a7f93 in HandleCallerCallee /src/libfuzzer/FuzzerTracePC.cpp:185
#6 0x4a7f93 in __sanitizer_cov_trace_pc_indir /src/libfuzzer/FuzzerTracePC.cpp:495
#7 0x4942b7 in pni_map_entry /src/qpid-proton/c/src/core/object/map.c:192:24
#8 0x4942b7 in pn_map_get /src/qpid-proton/c/src/core/object/map.c:264
#9 0x4942b7 in pn_hash_get /src/qpid-proton/c/src/core/object/map.c:435
#10 0x486c43 in pni_delivery_map_get /src/qpid-proton/c/src/core/transport.c:93:28
#11 0x486c43 in pn_do_disposition /src/qpid-proton/c/src/core/transport.c:1668
#12 0x4a58ec in pni_dispatch_action /src/qpid-proton/c/src/core/dispatcher.c:74:10
#13 0x4a58ec in pni_dispatch_frame /src/qpid-proton/c/src/core/dispatcher.c:116
#14 0x4a58ec in pn_dispatcher_input /src/qpid-proton/c/src/core/dispatcher.c:135
#15 0x47fbec in pn_input_read_amqp /src/qpid-proton/c/src/core/transport.c:2577:15
#16 0x4835a1 in transport_consume /src/qpid-proton/c/src/core/transport.c:1821:9
#17 0x487bd9 in pn_transport_process /src/qpid-proton/c/src/core/transport.c:2959:15
#18 0x4701fc in fcd_read /src/qpid-proton/c/tests/fuzz/fuzz-connection-driver.c:211:3
#19 0x4701fc in LLVMFuzzerTestOneInput /src/qpid-proton/c/tests/fuzz/fuzz-connection-driver.c:93
#20 0x4b9e77 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:576:15
#21 0x4ac39c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#22 0x4afc5b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:714:9
#23 0x4a5fc8 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#24 0x7f4a014e582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
#25 0x445688 in _start
custom-crash-state: qpid-proton_fuzz-connection-driver
SUMMARY: libFuzzer: timeout

        1. clusterfuzz-testcase-minimized-fuzz-connection-driver-5118747114209280
          0.1 kB

            astitcher Andrew Stitcher
            jdanek@redhat.com Jiri Daněk
            Jiri Daněk Jiri Daněk
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: