Merge pull request #3905 from bluca/fuzzers

Problems: potential memory leak in test_connect_curve_fuzzer, SECURITY.md could use some updates
2025-03-04 07:27:26 +01:00 · 2020-05-09 15:27:52 +03:00 · 2020-05-09 15:27:52 +03:00 · 0244d809a2
commit 0244d809a2
parent be77a8d932 fb9d055578
3 changed files with 29 additions and 3 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,6 +6,7 @@

 | Version | Supported          |
 | ------- | ------------------ |
+| 4.3.x   | :white_check_mark: |
 | 4.2.x   | :white_check_mark: |
 | 4.1.x   | :white_check_mark: |
 | 4.0.x   | :white_check_mark: |
@ -21,6 +22,29 @@ please send a GPG encrypted email with the details to the maintainers:
 | Doron Somech | somdoron@gmail.com | E0B0 E3D1 55DD 6ED6 71FB  2B79 D0B9 CC44 867D 8F3D |
 | Luca Boccassi | luca.boccassi@gmail.com | A9EA 9081 724F FAE0 484C 35A1 A81C EA22 BC8C 7E2E |

+## Internal severity classification
+
+We will attempt to follow this general policy when assigning a severity to
+security issues. These are guidelines more than rules, and as such end
+results might vary.
+
+
+| Severity | Definition |
+| -------- | ---------- |
+| CRITICAL | endpoints using STRONG authentication are SILENTLY affected |
+| HIGH | endpoints using STRONG authentication are VISIBLY affected |
+| MODERATE | endpoints NOT using STRONG authentication are SILENTLY affected |
+| LOW | endpoints NOT using STRONG authentication are VISIBLY affected |
+
+STRONG authentication means transports that use cryptography, for example CURVE
+and TLS.
+
+VISIBLY affected means that platform owners are likely to immediately notice
+misbehaviours, like crashes or loss of connectivity for legitimate peers.
+
+SILENTLY affected means that without close inspection, platform owners are
+unlikely to notice misbehaviours, like remote code executions or data exfiltration.
+
 ### Public keys
 <details>
 <summary>Doron Somech</summary>
--- a/tests/test_bind_curve_fuzzer.cpp
+++ b/tests/test_bind_curve_fuzzer.cpp
@ -71,14 +71,14 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
        send (client, (void *) data, 202, MSG_NOSIGNAL);
        data += 202;
        size -= 202;
-        recv (client, buf, 170, 0);
+        recv (client, buf, 170, MSG_DONTWAIT);
    }
    // Then send READY and expect INITIATE if there's enough data
    if (size >= 301) {
        send (client, (void *) data, 301, MSG_NOSIGNAL);
        data += 301;
        size -= 301;
-        recv (client, buf, 512, 0);
+        recv (client, buf, 512, MSG_DONTWAIT);
    }
    msleep (250);
    for (ssize_t sent = 0; size > 0 && (sent != -1 || errno == EINTR);
--- a/tests/test_connect_curve_fuzzer.cpp
+++ b/tests/test_connect_curve_fuzzer.cpp
@ -91,8 +91,10 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)

    zmq_msg_t msg;
    zmq_msg_init (&msg);
-    while (-1 != zmq_msg_recv (&msg, client, ZMQ_DONTWAIT))
+    while (-1 != zmq_msg_recv (&msg, client, ZMQ_DONTWAIT)) {
        zmq_msg_close (&msg);
+        zmq_msg_init (&msg);
+    }

    close (server_accept);
    close (server);