Fuzzing for the json decoder

Hey it seems like it's working!
Check for unterminated strings properly
2024-08-12 09:43:56 -07:00 · 2024-08-12 09:41:22 -07:00
8 changed files with 1606 additions and 5 deletions
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage
--- a/fuzz/Cargo.lock
+++ b/fuzz/Cargo.lock
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -0,0 +1,21 @@
+[package]
+name = "fwd-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+
+[dependencies.fwd]
+path = ".."
+
+[[bin]]
+name = "fuzz_target_1"
+path = "fuzz_targets/fuzz_target_1.rs"
+test = false
+doc = false
+bench = false
--- a/fuzz/fuzz_targets/fuzz_target_1.rs
+++ b/fuzz/fuzz_targets/fuzz_target_1.rs
@ -0,0 +1,11 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+extern crate fwd;
+use fwd::server::refresh::docker::JsonValue;
+
+fuzz_target!(|data: &[u8]| {
+    // fuzzed code goes here
+    let _ = JsonValue::parse(data);
+});
--- a/src/lib.rs
+++ b/src/lib.rs
@ -1,7 +1,7 @@
 mod client;
 mod message;
 mod reverse;
-mod server;
+pub mod server;

 pub const VERSION: &str = env!("CARGO_PKG_VERSION");
 pub const REV: &str = env!("REPO_REV");
--- a/src/server/mod.rs
+++ b/src/server/mod.rs
@ -5,7 +5,7 @@ use log::{error, warn};
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, BufReader, BufWriter};
 use tokio::sync::mpsc;

-mod refresh;
+pub mod refresh;

 // We drive writes through an mpsc queue, because we not only handle requests
 // and responses from the client (refresh ports and the like) but also need
--- a/src/server/refresh.rs
+++ b/src/server/refresh.rs
@ -10,7 +10,7 @@ use crate::message::PortDesc;
 mod procfs;

 #[cfg(unix)]
-mod docker;
+pub mod docker;

 pub async fn get_entries(_send_anonymous: bool) -> Result<Vec<PortDesc>> {
    #[cfg_attr(not(target_os = "linux"), allow(unused_mut))]
--- a/src/server/refresh/docker.rs
+++ b/src/server/refresh/docker.rs
@ -77,7 +77,7 @@ async fn list_containers() -> Result<Vec<u8>> {
 }

 #[derive(Debug, PartialEq)]
-enum JsonValue {
+pub enum JsonValue {
    Null,
    True,
    False,
@ -207,7 +207,7 @@ impl JsonValue {
                        }
                        i += 1;
                    }
-                    if i == blob.len() {
+                    if i >= blob.len() {
                        bail!("Unterminated string at {i}");
                    }
                    assert_eq!(blob[i], b'"');
@ -874,4 +874,10 @@ mod test {
        ]);
        assert_eq!(result, expected);
    }
+
+    #[test]
+    pub fn json_decode_unterminated_string_with_escape() {
+        let input = b"\"\\";
+        let _ = JsonValue::parse(input);
+    }
 }
Author	SHA1	Message	Date
John Doty	e27b788e8f	Fuzzing for the json decoder Hey it seems like it's working!	2024-08-12 09:43:56 -07:00
John Doty	77cbf1700f	Check for unterminated strings properly Also, public to enable fuzzing. This was the first catch!	2024-08-12 09:41:22 -07:00