Commit graph

49 commits

Author SHA1 Message Date
Miklos Vajna
e4298ccf31 fuuzer, httpresponse: clear state before each run
The max input size is 16384, so in case the input is saved after each
run, then this can allocate ~300MB of memory. This is considerable
amount, given that the upper limit of the fuzzer process is 2GB.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ieedb6a537d5b539255ed8bacd79ff23db3c15e9f
2023-02-28 10:18:41 +01:00
Miklos Vajna
4278b601f6 wsd: fix missing tile cache check in ClientSession::getCommandValues()
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I59d0c4863493a02df7a05b98648eb235840f8060
2022-10-25 16:55:19 +01:00
Ashod Nakashian
81399bff64 fuzzers: fixup HttpEcho
This improves the performance of fuzzing
and removes the checks that can't be guaranteed.

And fixes a test failure.

Change-Id: I987fe15b098c00d9a3d60077f0581d2ef35e306c
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-08-17 08:55:12 -04:00
Ashod Nakashian
41ea9d4930 fuzzers: add httpecho fuzzer script
Change-Id: Iab296461ac47d0ee23c23bf3629f7a08f77e238a
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-08-17 08:55:12 -04:00
Ashod Nakashian
94a884ad0f fuzzers: add http corpus and dictionary
Change-Id: I1a59fd31cc8ddfd90a7e9d4d62455310e410cb88
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-08-17 08:55:12 -04:00
Ashod Nakashian
6fa5be7ecb fuzzers: more aggressive http::Response fuzzing
Change-Id: I5b714bddd6edc90ef0c8efdad42d5f78f3d74886
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-08-17 08:55:12 -04:00
Ashod Nakashian
a87d1ae54f wsd: add HttpEcho fuzzer
This is a full round-trip http fuzzer.
It can achieve >1000 iterations per second
on a single 2 Ghz core, even while going
through the network loopback layer.
The advantage is that more networking code
is fuzzed this way, including not just
the http code, but also the sockets.

Change-Id: I75d21bd0e25221ee6621097a2605d62c4bb2ae4d
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
2022-08-17 08:55:12 -04:00
Miklos Vajna
4433e03492 client session fuzzer: try harder to empty SocketPoll::_newCallbacks on shutdown
The DocumentBroker dtor adds a callback:

	#0  SocketPoll::addCallback(std::function<void ()> const&) (this=0x377dce0 <Admin::instance()::admin>, fn=...) at ./net/Socket.hpp:773
	#1  0x0000000000947db5 in Admin::rmDoc (this=<optimized out>, docKey=...) at wsd/Admin.cpp:544
	#2  0x0000000000bb8192 in DocumentBroker::~DocumentBroker (this=0x61900000e690) at wsd/DocumentBroker.cpp:579

So even if the fuzzer called Admin::instance().poll() on shutdown, there
was one more callback inserted to the list later, leading to OOM in the
long run.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I0832d839b098407fa9e8aadb6f84388a85d62323
2022-05-31 15:10:51 +02:00
Miklos Vajna
262befc90e clientsession_fuzzer: fix missing UnitWSD
An alternative would be to tweak online-fuzz/wsd/DocumentBroker.cpp:534
to check for Util::isFuzzing(), but this is probably a better & more
generic way.

'./clientsession_fuzzer fuzzer/data/load' now works again.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I4d9fa387597695ff0802b268bc4d86be51dbabb2
2022-01-21 14:52:31 +01:00
Andras Timar
f07ff8c7e0 rename: remaining lool->cool changes
Signed-off-by: Andras Timar <andras.timar@collabora.com>
Change-Id: Ib7d4e804bebe52dead8d53b0e0bbaed0f08bf3d0
2021-11-18 14:14:11 +01:00
Andras Timar
de3e09fde0 rename wsd protocol command 'loolclient' to 'coolclient'
Signed-off-by: Andras Timar <andras.timar@collabora.com>
Change-Id: I506fe74bc5ebf183ed21721b40a45210373abf06
2021-11-17 11:59:35 +01:00
Miklos Vajna
f569c2b496 log: don't try to get the channel of a non-existing logger
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ic08043dac01b682184ff440b2f7d7f4f3df9522e
2021-07-15 09:01:16 +02:00
Miklos Vajna
57d3d0f391 http response: check if result would fit into chunkLen
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I6e3b73461653d2ab3cedaa3f6ca7fbfd2a826edb
2021-07-08 14:51:11 +02:00
Miklos Vajna
8f1621299b wsd: guard against negative counter in loolclient cmd
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: If1b1b515015b8aae01f2d1a6cb6a98426e2b03a8
2021-06-04 14:31:57 +02:00
Miklos Vajna
bc0401fc49 Make sure that double fits into uint64_t
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ic521383f71c1865ae18fc880b79493c52285e29b
2021-05-31 08:54:06 +02:00
Miklos Vajna
7b89ce2961 ClientSession::_handleInput: avoid pointing to a temporary
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I048ce322111029847d78f917f071b1c0854dc116
2021-05-10 12:38:32 +03:00
Miklos Vajna
f4759515be fuzzers: HttpResponse is a superset of HttpStatus
HttpResponse covers http::Response::readData(), HttpStatus covered
http::StatusLine::parse(). The first calls the second, so remove the
second.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I163819ca470b766a7bc4694a9c6cfe4919e17963
2021-04-28 09:02:08 +02:00
Miklos Vajna
9afe974848 Add a fuzzer for http::Response::readData()
And remove the httpheader one, which is not useful, since it uses Poco
for the actual parsing, it did not find anything. (If we switch away
from Poco there in the future, it's easy enough to restore it.)

Also fix some problems found by the fuzzer.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I254247c46ecc78c9c3e75aac4f10c441b0e10fb3
2021-04-23 17:54:36 +02:00
Miklos Vajna
da11acd8c5 StatusLine::parse: handle non-null-terminated buffer with std::atoi()
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I51033bc4d3f97f5ae93abce1b5f19ef6a8b296d8
2021-04-23 15:32:21 +02:00
Miklos Vajna
415a834813 StatusLine::parse: only feed integers to std::atoi()
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I7591fd14fbdc7c1210ac8141cb78854e3f20fffd
2021-04-23 15:32:21 +02:00
Miklos Vajna
80c6562e59 Add a fuzzer for http::StatusLine::parse()
And fix an unhandled std::length_error it found.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I571cdd71caeda84820f2c64088966936637ce2bf
2021-04-23 09:02:21 +02:00
Miklos Vajna
f720e280bf Add an initial libfuzzer based fuzzer for http::Header::parse()
Run the actual fuzzer like this:

./httpheader_fuzzer -max_len=16384 fuzzer/httpheader-data/

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I91afe44a632826cc15bd1c338bcc5234582e9674
2021-04-22 15:56:58 +02:00
Miklos Vajna
c65d8e7c7f HttpRequest: add missing config.h include
fuzzers build was failing with:

	In file included from fuzzer/Admin.cpp:3:
	In file included from ./wsd/Admin.hpp:12:
	In file included from ./wsd/AdminModel.hpp:20:
	In file included from ./net/WebSocketHandler.hpp:18:
	./net/HttpRequest.hpp:667:31: error: expected ')'
		_header.add("Server", HTTP_SERVER_STRING);
				      ^
	./common/Common.hpp:62:51: note: expanded from macro 'HTTP_SERVER_STRING'
	#define HTTP_SERVER_STRING "LOOLWSD HTTP Server " LOOLWSD_VERSION
							  ^
	./net/HttpRequest.hpp:667:20: note: to match this '('
		_header.add("Server", HTTP_SERVER_STRING);
			   ^

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ibc3905e3e62e0eb9788b750971916ff4a4937f12
2021-03-30 12:23:09 +02:00
Miklos Vajna
656af5d407 LOOLWSD::sendMessageToForKit: add error handling
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ib0ee205ce5620d09bee877148b52dc2f3342145d
2021-03-16 10:46:23 +01:00
Miklos Vajna
3c0e7707bd admin fuzzer: fix build
This went wrong in commit 693a2e19e3 (wsd:
SocketPoll::poll accepts chrono duration, 2020-12-14).

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I04780d7a5ef8ba54530df7727f2fe4df59995fb9
2021-01-04 11:45:01 +01:00
Miklos Vajna
f77c8076a7 wsd: fix crash on renderfont when the doc broker has no tile cache
Happens when renderfont is called without first loading a document.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I1152d1f4b3f610364e22c406cda5494672f20aed
2020-12-21 10:23:56 +01:00
Miklos Vajna
10c1885a83 fuzzer-clientsession
The fuzzer ran out of memory, 955443527 bytes (79%) of the used memory
was this map.

Change-Id: I2dd84a094d3dd3d98618667e3c78591e2193bce2
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
2020-11-30 10:17:43 +01:00
Miklos Vajna
eb5c86a4d3 DocumentBroker::saveToStorage: guard against nullptr _storage
This can happen on a 'savetostorage' which is after a failed load.

Change-Id: Iad26bf6415c772c8646a119b0454c202873d6860
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
2020-10-26 10:57:23 +01:00
Miklos Vajna
3ce20bae68 DocumentBroker::sendRequestedTiles: avoid nullptr _tileCache
Change-Id: I467c7ca451b4f72f4f1205e965be2dd602d6d69d
2020-10-08 11:59:08 +02:00
Miklos Vajna
2b546f72de document broker: handle tile request without tile cache
Change-Id: I5e0006cde07a84e6553db92627fdab943ac51d04
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/103534
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
2020-09-28 10:50:46 +02:00
Miklos Vajna
a3fc39e325 libfuzzer: fix build
Also decrease the poll timeout to 0, otherwise testing each input would
now take 5 sec, rather than ~3 ms.

Change-Id: I1a4f347e5ec08a62d40131bfec3c504a19727323
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95437
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-06-03 16:39:45 +02:00
Ashod Nakashian
44f4e59b6b wsd: RequestDetails takes the service root as argument
This avoids depending on LOOLWSD's statics, which
makes adding unit-tests much more difficult due to
the high number of dependencies LOOLWSD pulls.

Adds a number of unit-tests for RequestDetails.

Change-Id: I9f1d56f80a633505c7ff548ec0e33ffe61f59f53
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95290
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Tested-by: Jenkins
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
2020-06-02 17:28:40 +02:00
Miklos Vajna
eacf089363 libfuzzer: add initial documentation
So that one does not have to search back the commit messages to get the
commandlines to run these.

Change-Id: I3acfc0fa5b38577f22f6248a8ae0705e6af68940
2020-05-15 10:06:58 +02:00
Michael Meeks
34fc7fb6b7 Proxy: move requestDetails closer to ProxyProtocol.
Change-Id: I07c00ea1dad15fd70b658a04f722cbd516fd5c18
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/94088
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-05-13 00:53:24 +02:00
Miklos Vajna
19745e2e44 libfuzzer: fix build
And bypass configuration access at two new places, so the fuzzer can
find more interesting failures.

Change-Id: I4c09172e781a7c6120b8c4befe1a84fdd74f2ddc
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93617
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-05-07 14:04:57 +02:00
Michael Meeks
18c4301a1f Proxy: re-factor proxy handling into ServerURL and cleanup copy/paste.
Also adds ServiceRoot handling for clipboard.

Change-Id: I7bc6591130fcc7d693e59ab8561fb9e99f4e93d5
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93578
Tested-by: Michael Meeks <michael.meeks@collabora.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-05-06 23:12:12 +02:00
Miklos Vajna
eeb4d53a1e admin_fuzzer: fix too large param to mem stats size setter
Change-Id: I30dfa5cd917769e05cfdd4fad2a0e5ee8cc79dfb
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92568
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-20 15:44:21 +02:00
Miklos Vajna
72cfcf7f3e admin_fuzzer: fix too large param to cpu_stats_size setter
Don't pop an empty container, also use stol() so it does not throw
std::out_of_range.

Change-Id: Id81cb00ccfb0ecc234b8f6fa89edf5a0d8c6d353
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92524
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-20 11:18:05 +02:00
Miklos Vajna
ec3341591b clientsession_fuzzer: fix build
Change-Id: If793ad5d23f5b33d92ccfb681b279821f04a362b
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92397
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-17 09:57:15 +02:00
Miklos Vajna
946fa38a22 admin console: fix handling of out of range kill parameter
Catch that, similar to when handling an invalid argument.

Change-Id: I7405355f0b962673069dbd33dbab8c9e3042c4bf
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91794
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-07 09:35:54 +02:00
Miklos Vajna
fc88a872c2 admin console: log when JWTAuth::verify() doesn't have enough tokens
This is no longer a huge problem, but it's still a good idea to return
early in that case.

Found with the recently added admin_fuzzer, when I locally disabled the
StringVector safety checks for test purposes.

(If you view the diff with -U30, then you see that we access tokens[2]
later, so if size is < 3, we should give up.)

Change-Id: I46fc531fb042cc1485a17a9e994ad37e9ff0cd80
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91587
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-03 09:18:18 +02:00
Miklos Vajna
a4e0a00bfe Add an initial libfuzzer based fuzzer for the admin console
Run the actual fuzzer like this:

./admin_fuzzer -max_len=16384 fuzzer/admin-data/

Change-Id: I5891df8033ff1837afce86775ee62447587f2f20
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91504
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-02 12:11:24 +02:00
Miklos Vajna
338a9c5f1d libfuzzer: fix build
After commit e924625cc1 (re-factor: Socket
/ WebSocketHandler., 2020-03-06).

Change-Id: I2c109c26791efa03f54773a3623bcce57b0fb5e6
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/90603
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
2020-03-17 10:34:40 +01:00
Miklos Vajna
1bfd7a363d libfuzzer: fix build
After commit f70e627795 (WebSocket -
simplify handleMessage for now., 2020-03-05).

Change-Id: Iac4be94fa1f9b37714329b6b6941c775c3fe1947
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/90084
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-03-06 13:27:26 +01:00
Miklos Vajna
d129979822 wsd: fix crash with read-only documents + uno command without param
==15956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007cd2f7 bp 0x7ffe96c7cd70 sp 0x7ffe96c7c4e8 T0)
...
    #7 0x11a9d31 in ClientSession::filterMessage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const wsd/ClientSession.cpp:977:27
    #8 0x11925d6 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:741:14
    #9 0x19395d0 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:230:13

This seems to be a recurring pattern, I'll consider reworking
LOOLProtocol::tokenize() in a follow-up commit to have a return value
that is safer than std::vector<std::string>.

Change-Id: I0e71214a55af2e71e4787cb0dba0ddf7825bf9d9
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89637
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-02-27 17:59:59 +01:00
Miklos Vajna
1016de956a fuzzer: fix OOM with an ever-growing SocketPoll::_newCallbacks
Admin::instance().dumpState(std::cerr) at the end of a run shows:
 Poll [0] - wakeup r: 11 w: 12
        callbacks: 103
        fd      events  rsize   wsize

This is more a problem in the fuzzer itself than in the code, the
unprocessed callbacks reached the intentionally set 2GB limit in about
20 mins, so process them at the end of each run.

Change-Id: Ic12d3e8555417371f4ca44228fc1ff515d704592
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89632
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-02-27 15:11:31 +01:00
Miklos Vajna
aefc65465b wsd: fix crash when downloadas has not enough parameters
==11898==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007c4f87 bp 0x7fffe45dfe90 sp 0x7fffe45df608 T0)
==11898==The signal is caused by a READ memory access.
==11898==Hint: address points to the zero page.
    #0 0x7c4f86 in AddressIsPoisoned lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_mapping.h:397
    #1 0x7c4f86 in __asan::QuickCheckForUnpoisonedRegion(unsigned long, unsigned long) lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:31
    #2 0x816436 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:834
    #3 0x816d38 in memcmp lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:866
    #4 0x7f1964437595 in std::char_traits<char>::compare(char const*, char const*, unsigned long) lode/packages/gccbuild/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:310
    #5 0x7f1964437595 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(unsigned long, unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const lode/packages/gccbuild/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/basic_string.tcc:1391
    #6 0x18e206d in LOOLProtocol::getTokenString(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) common/Protocol.cpp:141:19
    #7 0x117cc0a in ClientSession::filterMessage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const wsd/ClientSession.cpp:940:13
    #8 0x116b832 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:741:14
    #9 0x18f70d0 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:230:13

Change-Id: I0c7da6c02ac62bf0bc99557517fc7c517917046c
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89229
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:34 +01:00
Miklos Vajna
57a35bb96c Add an initial libfuzzer based fuzzer
- target ClientSession::_handleInput(), since crashing there would bring
  down the whole loolwsd (not just a kit process), and it deals with
  input from untrusted users (browsers)

- add a --enable-fuzzers configure switch to build with
  -fsanitize=fuzzer (compared to normal sanitizers build, this is the only
  special flag needed)

- configuring other sanitizers is not done automatically, either use
  --with-sanitizer=... or the environment variables from LODE's sanitizer
  config

- run the actual fuzzer like this:

  ./clientsession_fuzzer -max_len=16384 fuzzer/data/

- note that at least openSUSE Leap 15.1 sadly ships with a clang with
  libfuzzer static libs removed from the package, so you need a
  self-built clang to run the fuzzer (either manual build or one from
  LODE)

- <https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/refs/heads/master/efficient_fuzzing.md#execution-speed>
  suggests that "You should aim for at least 1,000 exec/s from your fuzz
  target locally" (i.e. one run should not take more than 1 ms), so try
  this minimal approach first. The alternative would be to start from the
  existing loolwsd_fuzzer binary, then step by step cut it down to not
  fork(), not do any network traffic, etc -- till it's fast enough that
  the fuzzer can find interesting input

- the various configurations start to be really complex (the matrix is
  just very large), so try to use Util::isFuzzing() for fuzzer-specific
  changes (this is what core.git does as well), and only resort to ifdefs
  for the Util::isFuzzing() itself

Change-Id: I72dc1193b34c93eacb5d8e39cef42387d42bd72f
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89226
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:22 +01:00
Miklos Vajna
8d2a8da960 common: fix crash when the version string contains no dot character
==13901==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000904678 bp 0x7ffdb9e21580 sp 0x7ffdb9e21340 T0)
==13901==The signal is caused by a READ memory access.
==13901==Hint: address points to the zero page.
    #0 0x904677 in LOOLProtocol::tokenize[abi:cxx11](char const*, unsigned long, char) common/Protocol.hpp:113:40
    #1 0x898c52 in LOOLProtocol::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char) common/Protocol.hpp:141:16
    #2 0x18dc2d9 in LOOLProtocol::ParseVersion(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) common/Protocol.cpp:35:51
    #3 0x1148824 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:358:64
    #4 0x18efcb8 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:232:13

Next commit will add the actual simple fuzzer that found this.

Change-Id: I8623b4451a57390f6f84c11084c5a1120a11fcc5
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89225
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:11 +01:00