strepsirrhini/libreoffice-online
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
libreoffice-online/fuzzer/ClientSession.cpp
Miklos Vajna 4433e03492 client session fuzzer: try harder to empty SocketPoll::_newCallbacks on shutdown 
The DocumentBroker dtor adds a callback:

	#0  SocketPoll::addCallback(std::function<void ()> const&) (this=0x377dce0 <Admin::instance()::admin>, fn=...) at ./net/Socket.hpp:773
	#1  0x0000000000947db5 in Admin::rmDoc (this=<optimized out>, docKey=...) at wsd/Admin.cpp:544
	#2  0x0000000000bb8192 in DocumentBroker::~DocumentBroker (this=0x61900000e690) at wsd/DocumentBroker.cpp:579

So even if the fuzzer called Admin::instance().poll() on shutdown, there
was one more callback inserted to the list later, leading to OOM in the
long run.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I0832d839b098407fa9e8aadb6f84388a85d62323
2022-05-31 15:10:51 +02:00

55 lines
1.7 KiB
C++
Raw Blame History

#include <iostream>
#include "config.h"
#include "ClientSession.hpp"
bool DoInitialization()
{
COOLWSD::ChildRoot = "/fuzz/child-root";
UnitBase::init(UnitBase::UnitType::Wsd, std::string());
return true;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
static bool initialized = DoInitialization();
(void)initialized;
std::string uri;
Poco::URI uriPublic;
std::string docKey = "/fuzz/fuzz.odt";
auto docBroker = std::make_shared<DocumentBroker>(DocumentBroker::ChildType::Interactive, uri,
uriPublic, docKey);
std::shared_ptr<ProtocolHandlerInterface> ws;
std::string id;
bool isReadOnly = false;
Poco::Net::HTTPRequest request(Poco::Net::HTTPRequest::HTTP_GET, uri,
Poco::Net::HTTPMessage::HTTP_1_1);
request.setHost("localhost:9980");
const RequestDetails requestDetails(request, "");
auto session
= std::make_shared<ClientSession>(ws, id, docBroker, uriPublic, isReadOnly, requestDetails);
std::string input(reinterpret_cast<const char*>(data), size);
std::stringstream ss(input);
std::string line;
while (std::getline(ss, line, '\n'))
{
std::vector<char> lineVector(line.data(), line.data() + line.size());
session->handleMessage(lineVector);
}
// The DocumentBroker dtor grows SocketPoll::_newCallbacks.
docBroker.reset();
// Make sure SocketPoll::_newCallbacks does not grow forever, leading to OOM.
Admin::instance().poll(std::chrono::microseconds(0));
// Make sure the anon map does not grow forever, leading to OOM.
Util::clearAnonymized();
return 0;
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
Reference in a new issue View git blame Copy permalink