Do not accept too long inputs that fill socket buffers

There are long-standing issues with fuzzing, which cause the send() not writing all the provided bytes and causing the fuzzer driver to crash. This can be simply solved by limiting the input size to reasonably large value. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21967 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2022-08-05 12:10:52 +02:00 · 2022-08-05 12:10:52 +02:00 · 5dd8c03b3a
--- a/tests/fuzz/ssh_client_fuzzer.c
+++ b/tests/fuzz/ssh_client_fuzzer.c
@ -94,6 +94,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
    bool no = false;
    int rc;

+    /* This is the maximum that can be handled by the socket buffer before the
+     * other side will read some data. Other option would be feeding the socket
+     * from different thread which would not mind if it would be blocked, but I
+     * believe all the important inputs should fit into this size */
+    if (size > 219264) {
+        return -1;
+    }
+
    /* Set up the socket to send data */
    rc = socketpair(AF_UNIX, SOCK_STREAM, 0, socket_fds);
    assert(rc == 0);
--- a/tests/fuzz/ssh_server_fuzzer.c
+++ b/tests/fuzz/ssh_server_fuzzer.c
@ -139,6 +139,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
        .channel_open_request_session_function = channel_open,
    };

+    /* This is the maximum that can be handled by the socket buffer before the
+     * other side will read some data. Other option would be feeding the socket
+     * from different thread which would not mind if it would be blocked, but I
+     * believe all the important inputs should fit into this size */
+    if (size > 219264) {
+        return -1;
+    }
+
    /* Write SSH RSA host key to disk */
    rc = write_rsa_hostkey("/tmp/libssh_fuzzer_private_key");
    assert(rc == 0);