From 5fe9188a95b67caf71c299d6204bb2de6b06a790 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 6 Jan 2022 15:51:00 +0100 Subject: [PATCH] fuzz: test for too many open txs in a flow so as to avoid performance problems coming from this. --- src/tests/fuzz/fuzz_applayerparserparse.c | 28 +++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/tests/fuzz/fuzz_applayerparserparse.c b/src/tests/fuzz/fuzz_applayerparserparse.c index 945cb32c35..cf397a72ad 100644 --- a/src/tests/fuzz/fuzz_applayerparserparse.c +++ b/src/tests/fuzz/fuzz_applayerparserparse.c @@ -59,6 +59,9 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) return 0; } +// arbitrary value +#define ALPROTO_MAXTX 4096 + int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { Flow * f; @@ -166,6 +169,31 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) } AppLayerParserTransactionsCleanup(f); + + if (f->alstate && f->alparser) { + // check if we have too many open transactions + const uint64_t total_txs = AppLayerParserGetTxCnt(f, f->alstate); + uint64_t min = 0; + AppLayerGetTxIterState state; + memset(&state, 0, sizeof(state)); + uint64_t nbtx = 0; + AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(f->proto, f->alproto); + while (1) { + AppLayerGetTxIterTuple ires = + IterFunc(f->proto, f->alproto, f->alstate, min, total_txs, &state); + if (ires.tx_ptr == NULL) + break; + min = ires.tx_id + 1; + nbtx++; + if (nbtx > ALPROTO_MAXTX) { + printf("Too many open transactions for protocol %s\n", + AppProtoToString(f->alproto)); + printf("Assertion failure: %s\n", AppProtoToString(f->alproto)); + fflush(stdout); + abort(); + } + } + } } alsize -= alnext - albuffer + 4; albuffer = alnext + 4; -- 2.47.2