Problem: fuzz tests do not check that legitimate clients work

Solution: add normal client sockets and bounce at the same time as the mock client
2025-03-01 02:56:56 +01:00 · 2020-05-15 14:10:43 +01:00 · 2020-05-15 14:10:43 +01:00 · 6439d32254
commit 6439d32254
parent afacdbeccf
2 changed files with 33 additions and 2 deletions
--- a/tests/test_bind_curve_fuzzer.cpp
+++ b/tests/test_bind_curve_fuzzer.cpp
@ -42,6 +42,10 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
    const char *fixed_client_public =
      "{{k*81)yMWEF{/BxdMd[5RL^qRFxBgoL<8m.D^KD";
+    const char *fixed_client_secret =
+      "N?Gmik8R[2ACw{b7*[-$S6[4}aO#?DB?#=<OQPc7";
+    const char *fixed_server_public =
+      "3.9-xXwy{g*w72TP*3iB9IJJRxlBH<ufTAvPd2>C";
    const char *fixed_server_secret =
      "T}t5GLq%&Qm1)y3ywu-}pY3KEA//{^Ut!M1ut+B4";
    void *handler;
@ -86,8 +90,27 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
        sent = send (client, (const char *) data, size, MSG_NOSIGNAL);
    msleep (250);

-    close (client);
+    //  Drain the queue, if any
+    zmq_msg_t msg;
+    zmq_msg_init (&msg);
+    while (-1 != zmq_msg_recv (&msg, server, ZMQ_DONTWAIT)) {
+        zmq_msg_close (&msg);
+        zmq_msg_init (&msg);
+    }

+    //  A well-behaved client should work while the malformed data from the other
+    //  is being received
+    curve_client_data_t curve_client_data = {
+      fixed_server_public, fixed_client_public, fixed_client_secret};
+    void *client_mon;
+    void *client_good = create_and_connect_client (
+      my_endpoint, socket_config_curve_client, &curve_client_data, &client_mon);
+
+    bounce (server, client_good);
+
+    close (client);
+    test_context_socket_close_zero_linger (client_good);
+    test_context_socket_close_zero_linger (client_mon);
    shutdown_context_and_server_side (zap_thread, server, server_mon, handler);
    teardown_test_context ();

--- a/tests/test_bind_null_fuzzer.cpp
+++ b/tests/test_bind_null_fuzzer.cpp
@ -49,6 +49,11 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
    bind_loopback_ipv4 (server, my_endpoint, sizeof (my_endpoint));
    fd_t client = connect_socket (my_endpoint);

+    void *client_good = test_context_socket (ZMQ_SUB);
+    TEST_ASSERT_SUCCESS_ERRNO (
+      zmq_setsockopt (client_good, ZMQ_SUBSCRIBE, "", 0));
+    TEST_ASSERT_SUCCESS_ERRNO (zmq_connect (client_good, my_endpoint));
+
    //  If there is not enough data for a full greeting, just send what we can
    //  Otherwise send greeting first, as expected by the protocol
    uint8_t buf[64];
@ -64,8 +69,11 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
        sent = send (client, (const char *) data, size, MSG_NOSIGNAL);
    msleep (250);

-    close (client);
+    TEST_ASSERT_EQUAL_INT (6, zmq_send_const (server, "HELLO", 6, 0));
+    TEST_ASSERT_EQUAL_INT (6, zmq_recv (client_good, buf, 6, 0));

+    close (client);
+    test_context_socket_close_zero_linger (client_good);
    test_context_socket_close_zero_linger (server);
    teardown_test_context ();