MONGOCRYPT-834 fuzzing for oss-fuzz#1152
Conversation
| if (parser->first_len > (uint32_t) INT32_MAX) { | ||
| KMS_ERROR (parser, "KMIP response length field too large"); | ||
| return false; | ||
| } |
There was a problem hiding this comment.
Do git merge master. This change should no longer be needed with the fix of 92b5144
| if (bin) { | ||
| mongocrypt_ctx_mongo_feed(ctx, bin); | ||
| mongocrypt_binary_destroy(bin); | ||
| } |
There was a problem hiding this comment.
Suggest removing unnecessary NULL check. I expect mongocrypt_binary_new_from_data cannot return NULL (it uses bson_malloc0, which aborts on allocation failure).
Suggestion also applies to other calls of mongocrypt_binary_new_from_data.
| 4 OP_DATAKEY (input_bin ignored; extra bytes unused unless | ||
| 5 OP_REWRAP_MANY_DATAKEY state machine needs feeding) |
There was a problem hiding this comment.
I expect comment only applies to OP_DATAKEY.
| 4 OP_DATAKEY (input_bin ignored; extra bytes unused unless | |
| 5 OP_REWRAP_MANY_DATAKEY state machine needs feeding) | |
| 4 OP_DATAKEY (input_bin ignored; extra bytes unused unless state machine needs feeding) | |
| 5 OP_REWRAP_MANY_DATAKEY |
|
|
||
| The optional extra bytes are consumed by drive_ctx() as it walks the state | ||
| machine. For NEED_MONGO_* states it reads a 2-byte LE length then that many | ||
| bytes; for NEED_KMS it reads exactly bytes_needed bytes from the KMS context. |
There was a problem hiding this comment.
IIUC this is describing how the input bytes are read:
| bytes; for NEED_KMS it reads exactly bytes_needed bytes from the KMS context. | |
| bytes; for NEED_KMS it reads exactly bytes_needed bytes from the input. |
| for cmd, coll in [("find", "test"), ("aggregate", "test"), ("insert", "test")]: | ||
| name = f"op0_encrypt_{cmd}" |
There was a problem hiding this comment.
Minor: remove "test" from list since it does not differ.
| for cmd, coll in [("find", "test"), ("aggregate", "test"), ("insert", "test")]: | |
| name = f"op0_encrypt_{cmd}" | |
| for cmd in ["find", "aggregate", "insert"]: | |
| coll = "test" |
There was a problem hiding this comment.
Re-run test/gen_fuzz_corpus.py. Running locally generates files not in data/fuzz_mongocrypt_corpus (e.g. crash-kmip-parser-overflow).
Background
Libmongocrypt will be added to OSS-Fuzz for continuous fuzz testing. On our end we only have to provide the fuzzing entry point:
LLVMFuzzerTestOneInputwhich is linked into the fuzzing binary.Design
The fuzzing engine which accepts binary inputs uses the first byte to decide on the target state. It provides some defaults (local encryption keys, etc.) until the state machine is ready to accept input and feeds the fuzzer generated data. A corpus of starting data derived from test inputs improves fuzzing efficiency.
Coverage
The fuzzing added here covers 14.33% of libmongocrypt's functions.