Merge pull request #3918 from bluca/fuzzers

Problem: unfinished message can be leaked by client pipe
2025-01-19 08:46:44 +01:00 · 2020-05-15 22:15:02 +03:00 · 2020-05-15 22:15:02 +03:00 · 3033112645
commit 3033112645
parent afacdbeccf 6815138501
3 changed files with 34 additions and 2 deletions
--- a/src/pipe.cpp
+++ b/src/pipe.cpp
@ -506,6 +506,7 @@ void zmq::pipe_t::process_delimiter ()
    if (_state == active)
        _state = delimiter_received;
    else {
+        rollback ();
        _out_pipe = NULL;
        send_pipe_term_ack (_peer);
        _state = term_ack_sent;
--- a/tests/test_bind_curve_fuzzer.cpp
+++ b/tests/test_bind_curve_fuzzer.cpp
@ -42,6 +42,10 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
    const char *fixed_client_public =
      "{{k*81)yMWEF{/BxdMd[5RL^qRFxBgoL<8m.D^KD";
+    const char *fixed_client_secret =
+      "N?Gmik8R[2ACw{b7*[-$S6[4}aO#?DB?#=<OQPc7";
+    const char *fixed_server_public =
+      "3.9-xXwy{g*w72TP*3iB9IJJRxlBH<ufTAvPd2>C";
    const char *fixed_server_secret =
      "T}t5GLq%&Qm1)y3ywu-}pY3KEA//{^Ut!M1ut+B4";
    void *handler;
@ -86,8 +90,27 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
        sent = send (client, (const char *) data, size, MSG_NOSIGNAL);
    msleep (250);

-    close (client);
+    //  Drain the queue, if any
+    zmq_msg_t msg;
+    zmq_msg_init (&msg);
+    while (-1 != zmq_msg_recv (&msg, server, ZMQ_DONTWAIT)) {
+        zmq_msg_close (&msg);
+        zmq_msg_init (&msg);
+    }

+    //  A well-behaved client should work while the malformed data from the other
+    //  is being received
+    curve_client_data_t curve_client_data = {
+      fixed_server_public, fixed_client_public, fixed_client_secret};
+    void *client_mon;
+    void *client_good = create_and_connect_client (
+      my_endpoint, socket_config_curve_client, &curve_client_data, &client_mon);
+
+    bounce (server, client_good);
+
+    close (client);
+    test_context_socket_close_zero_linger (client_good);
+    test_context_socket_close_zero_linger (client_mon);
    shutdown_context_and_server_side (zap_thread, server, server_mon, handler);
    teardown_test_context ();

--- a/tests/test_bind_null_fuzzer.cpp
+++ b/tests/test_bind_null_fuzzer.cpp
@ -49,6 +49,11 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
    bind_loopback_ipv4 (server, my_endpoint, sizeof (my_endpoint));
    fd_t client = connect_socket (my_endpoint);

+    void *client_good = test_context_socket (ZMQ_SUB);
+    TEST_ASSERT_SUCCESS_ERRNO (
+      zmq_setsockopt (client_good, ZMQ_SUBSCRIBE, "", 0));
+    TEST_ASSERT_SUCCESS_ERRNO (zmq_connect (client_good, my_endpoint));
+
    //  If there is not enough data for a full greeting, just send what we can
    //  Otherwise send greeting first, as expected by the protocol
    uint8_t buf[64];
@ -64,8 +69,11 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
        sent = send (client, (const char *) data, size, MSG_NOSIGNAL);
    msleep (250);

-    close (client);
+    TEST_ASSERT_EQUAL_INT (6, zmq_send_const (server, "HELLO", 6, 0));
+    TEST_ASSERT_EQUAL_INT (6, zmq_recv (client_good, buf, 6, 0));

+    close (client);
+    test_context_socket_close_zero_linger (client_good);
    test_context_socket_close_zero_linger (server);
    teardown_test_context ();