From: Stephen Morris Date: Tue, 25 Jun 2019 19:15:10 +0000 (+0100) Subject: [#640,!351] Restrict size of data that will be sent to Kea X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdd3b76d9ae8d47345943fed68ead86c10dd42a0;p=thirdparty%2Fkea.git [#640,!351] Restrict size of data that will be sent to Kea Kea will only accept up to about 64k or data (set by the size of a UDP datagram). However, AFL can send much larger data packets, which may cause problems in synchronization between the two threads used to implement fuzzing in Kea. --- diff --git a/src/lib/dhcpsrv/fuzz.cc b/src/lib/dhcpsrv/fuzz.cc index 11afbe1b68..cb28389de4 100644 --- a/src/lib/dhcpsrv/fuzz.cc +++ b/src/lib/dhcpsrv/fuzz.cc @@ -34,6 +34,7 @@ using namespace std; // Constants defined in the Fuzz class definition. constexpr size_t Fuzz::BUFFER_SIZE; +constexpr size_t Fuzz::MAX_SEND_SIZE; constexpr useconds_t Fuzz::SLEEP_INTERVAL; constexpr long Fuzz::LOOP_COUNT; @@ -264,10 +265,16 @@ Fuzz::run(void) { // and AFL seems to get confused in this case. At any rate, without // some form of synchronization, this approach does not work. - // Send the data to the main Kea thread. - ssize_t sent = sendto(sockfd, buf, length, 0, sockaddr_ptr_, + // Send the data to the main Kea thread. Limit the size of the + // packets that can be sent. + size_t send_len = (length < MAX_SEND_SIZE) ? length : MAX_SEND_SIZE; + ssize_t sent = sendto(sockfd, buf, send_len, 0, sockaddr_ptr_, sockaddr_len_); if (sent < 0) { + // TODO: If we get here, we may well hang: AFL has sent us a + // packet but by continuing, we are not letting Kea process it + // and trigger AFL to send another. For the time being, we + // are restricting the size of packets Kea can send us. LOG_ERROR(fuzz_logger, FUZZ_SEND_ERROR).arg(strerror(errno)); continue; } else if (sent != length) { diff --git a/src/lib/dhcpsrv/fuzz.h b/src/lib/dhcpsrv/fuzz.h index a6009338a5..bdcbaf0a09 100644 --- a/src/lib/dhcpsrv/fuzz.h +++ b/src/lib/dhcpsrv/fuzz.h @@ -141,7 +141,18 @@ public: void setAddress(int ipversion); /// @brief size of the buffer used to transfer data between AFL and Kea. - static constexpr size_t BUFFER_SIZE = 65536; + /// + /// This is much larger than the data that will be sent to Kea (so AFL + /// data being trimmed). However, it does allow for AFL to send quite + /// large packets without resulting in timeouts or synchronization + /// problems with the fuzzing thread. + static constexpr size_t BUFFER_SIZE = 128000; + + /// @brief maximum size of packets fuzzing thread will send to Kea + /// + /// This is below the maximum size of data that can be put into a + /// single UDP datagram. + static constexpr size_t MAX_SEND_SIZE = 64000; /// @brief Delay before rereading if read from stdin returns an error (us) static constexpr useconds_t SLEEP_INTERVAL = 50000;