Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't crash when the packet length is zero #389

Merged
merged 1 commit into from
Nov 3, 2020
Merged

Don't crash when the packet length is zero #389

merged 1 commit into from
Nov 3, 2020

Conversation

greatroar
Copy link
Contributor

A packet with an invalid length causes a panic in recvPacket. Patch includes the fuzz test that found this out in a few seconds.

davecheney
davecheney requested changes Oct 28, 2020
View reviewed changes
Copy link
Member

@davecheney davecheney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for working on this. I don't see much value in fuzzing the private API. Can you demonstrate that this crash can be trigged via a public API?

packet.go Outdated Show resolved Hide resolved
@greatroar
Copy link
Contributor Author

greatroar commented Oct 28, 2020
edited
Loading

Not an API, but a client panics when it connects to a broken server like the following one:

func TestBrokenServer(t *testing.T) {
	cr, sw := io.Pipe() // client reads, server writes
	sr, cw := io.Pipe() // server reads, client writes

	// Broken server that doesn't speak proper SFTP.
	go func() {
		go io.Copy(ioutil.Discard, sr)
		sw.Write([]byte{0, 0, 0, 0})
		sw.Close()
	}()

	NewClientPipe(cr, cw)
}

@greatroar
Copy link
Contributor Author

I can change the fuzz test to do something similar. It would be more expensive to run, obviously.

@davecheney
Copy link
Member

Can you write that as a failing test case?

@davecheney
Copy link
Member

Remember that new client pipe doesn't actually need an io.pipe, that should make the test simpler, and simpler to write a fuzzer

@greatroar
Copy link
Contributor Author

New test and fuzzer now calls NewClientPipe.

@greatroar
Copy link
Contributor Author

The test failure is the same as one master (fixed in #387).

puellanivis
puellanivis reviewed Oct 29, 2020
View reviewed changes
client_test.go Outdated Show resolved Hide resolved
client_test.go Outdated Show resolved Hide resolved
fuzz.go Outdated Show resolved Hide resolved
packet.go Outdated Show resolved Hide resolved
fuzz.go Outdated Show resolved Hide resolved
@greatroar greatroar force-pushed the short-packet branch 2 times, most recently from d21b507 to 92cc5dc Compare October 29, 2020 14:48
@greatroar greatroar changed the title Don't crash when the packet length is < 5 Don't crash when the packet length is zero Oct 29, 2020
puellanivis
puellanivis reviewed Oct 29, 2020
View reviewed changes
packet.go Outdated Show resolved Hide resolved
davecheney
davecheney requested changes Oct 29, 2020
View reviewed changes
Copy link
Member

@davecheney davecheney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this

client_test.go Outdated Show resolved Hide resolved
fuzz.go Outdated Show resolved Hide resolved
packet_test.go Outdated Show resolved Hide resolved
davecheney
davecheney requested changes Oct 30, 2020
View reviewed changes
Copy link
Member

@davecheney davecheney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this

I don't see the utility of testing recvPacket for short packets. I would like to see a test against the external API exposed by NewClientPipe. If recvPacket crashes because the input is smaller than expected then this is the fault of its caller. It should be fixed at that point.

client_test.go Outdated Show resolved Hide resolved
@greatroar greatroar force-pushed the short-packet branch 3 times, most recently from 230835f to 96cf5ed Compare October 30, 2020 09:38
@greatroar
Copy link
Contributor Author

I would like to see a test against the external API exposed by NewClientPipe.

Done, and also added a test that crashes the server on current master.

davecheney
davecheney approved these changes Oct 30, 2020
View reviewed changes
Copy link
Member

@davecheney davecheney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you. I'll leave this for the other maintainers.

@puellanivis
Copy link
Collaborator

Probably fine from me as well, but I’d like to get #387 merged first. Then a rebase would be required here.

@greatroar greatroar mentioned this pull request Oct 31, 2020
Closed
@greatroar
Copy link
Contributor Author

Rebased on #387.

puellanivis
puellanivis reviewed Oct 31, 2020
View reviewed changes
server_test.go Outdated Show resolved Hide resolved
puellanivis
puellanivis reviewed Nov 2, 2020
View reviewed changes
client_test.go Outdated Show resolved Hide resolved
@puellanivis puellanivis merged commit 796f65a into pkg:master Nov 3, 2020
@greatroar greatroar deleted the short-packet branch November 3, 2020 13:39
@dependabot dependabot bot mentioned this pull request Mar 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puellanivis puellanivis puellanivis left review comments

@davecheney davecheney davecheney approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@greatroar @davecheney @puellanivis