Hi, I am using the existing fuzzers in https://github.com/curl/curl-fuzzer.
When working with the http fuzzer, I found to my surprise that the fuzzing enters the pop3_done() function. The http fuzzer sets the allowed protocols to HTTP before starting any transfers. (line 74 in curl_fuzzer.cc, see https://github.com/curl/curl-fuzzer/blob/da433adbe2b4806588539bd1c4585a1ccb3bb3d6/curl_fuzzer.cc#L74) Here is test data that makes this happen sporadically: AAEAAAABQQApAAAACHBvcDM6L3RB This is base64 encoded, to make a real tlv test case, decode it and feed it to the fuzzer. The decoded contents of the test data means this is what happens: - set hostname to "A" - set doh url to "pop3:/tA" - start transferring I put an assert in the pop3_done() function, and the the stack trace is shown below. I am not sure if this is intended behaviour, unless "dns over pop3" is the new thing :-) The same thing happens with imap_done. Paul INFO: Loaded 1 modules (15554 inline 8-bit counters): 15554 [0x663c6f, 0x667931), INFO: Loaded 1 PC tables (15554 PCs): 15554 [0x5d8010,0x614c30), tests/curl_fuzzer_http: Running 1 inputs 1 time(s) each. Running: ../build-fuzz-clang8-plain-O3/minimized-from-46f6abbb9b2c80fb39b0dfbc24c76559bbe25951 curl_fuzzer_http: ../lib/pop3.c:1121: CURLcode pop3_done(struct connectdata *, CURLcode, _Bool): Assertion `!"you should not reach here"' failed. ==24763== ERROR: libFuzzer: deadly signal #0 0x461def in __sanitizer_print_stack_trace (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x461def) #1 0x441b3b in fuzzer::PrintStackTrace() (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x441b3b) #2 0x426be8 in fuzzer::Fuzzer::CrashCallback() (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x426be8) #3 0x426baf in fuzzer::Fuzzer::StaticCrashSignalCallback() (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x426baf) #4 0x7f0f8999a72f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1272f) #5 0x7f0f897d87ba in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x377ba) #6 0x7f0f897c3534 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22534) #7 0x7f0f897c340e in __tls_get_addr (/lib/x86_64-linux-gnu/libc.so.6+0x2240e) #8 0x7f0f897d1101 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x30101) #9 0x5481b1 in pop3_done /home/paul/code/delaktig/curl/build-fuzz-clang8-plain/../lib/pop3.c:1121:5 #10 0x474269 in multi_done /home/paul/code/delaktig/curl/build-fuzz-clang8-plain/../lib/multi.c:556:14 #11 0x47c755 in curl_multi_cleanup /home/paul/code/delaktig/curl/build-fuzz-clang8-plain/../lib/multi.c:2278:15 #12 0x464813 in fuzz_handle_transfer(fuzz_data*) /home/paul/code/delaktig/curl-fuzzer/intree_fuzzer/src/networkfuzzers/curl_fuzzer.cc:391:3 #13 0x4635a6 in LLVMFuzzerTestOneInput /home/paul/code/delaktig/curl-fuzzer/intree_fuzzer/src/networkfuzzers/curl_fuzzer.cc:93:3 #14 0x427f0a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x427f0a) #15 0x41a84c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x41a84c) #16 0x41fcd1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x41fcd1) #17 0x4422f2 in main (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x4422f2) #18 0x7f0f897c509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #19 0x419129 in _start (/home/paul/code/delaktig/curl/build-fuzz-clang8-plain/tests/curl_fuzzer_http+0x419129) ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
