From: Zbigniew Jędrzejewski-Szmek Date: Sun, 8 May 2022 07:41:32 +0000 (+0200) Subject: fuzz-systemctl-parse-argv: refuse commandlines above 1k entries X-Git-Tag: v251-rc3~38^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44468876c37e01efe2d9fe1b170d19d8b6958373;p=thirdparty%2Fsystemd.git fuzz-systemctl-parse-argv: refuse commandlines above 1k entries oss-fuzz reports timeouts which are created by appending to a very long strv. The code is indeed not very efficient, but it's designed for normal command-line use, where we don't expect more than a dozen of entries. The fact that it is slow with ~100k entries is not particularly interesting. In the future we could rework the code to have better algorithmic complexity. But let's at least stop oss-fuzz from wasting more time on such examples. (My first approach was to set max_len in .options, but apparently this doesn't work for hongfuzz and and AFL.) oss-fuzz-34527: https://oss-fuzz.com/issue/5722283944574976 --- diff --git a/src/systemctl/fuzz-systemctl-parse-argv.c b/src/systemctl/fuzz-systemctl-parse-argv.c index eed8c671448..588c8b56c5c 100644 --- a/src/systemctl/fuzz-systemctl-parse-argv.c +++ b/src/systemctl/fuzz-systemctl-parse-argv.c @@ -31,6 +31,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (!argv[0]) return 0; /* argv[0] should always be present, but may be zero-length. */ + if (strv_length(argv) > 1024) + return 0; /* oss-fuzz reports timeouts which are caused by appending to a very long strv. + * The code is indeed not very efficient, but it's designed for normal command-line + * use, where we don't expect more than a dozen of entries. The fact that it is + * slow with ~100k entries is not particularly interesting. Let's just refuse such + * long command lines. */ if (getenv_bool("SYSTEMD_FUZZ_OUTPUT") <= 0) { orig_stdout_fd = fcntl(fileno(stdout), F_DUPFD_CLOEXEC, 3);