search

go-ldap / ldap

Basic LDAP v3 functionality for the GO programming language.
Other
2.23k stars 352 forks source link

fix: `FuzzParseDN` causing OOMs in restricted environments #466

Closed cpuschma closed 1 year ago

cpuschma commented 1 year ago

See the discussion in #460. The fuzzing might crash in certain environments because of the high ber.MaxPacketLengthBytes size of 2147483647 bytes (2.1 GB).

This change limits the maximum ASN1 BER packet size to 65KB, which should be sufficient for the fuzzer. We'll look into providing custom encoders/decoders to allow setting a limit without breaking things globally, as the configuration is package-wide.

Additionally, the fuzz_test.go file was missing in the v3 directory. This slipped through in the initial PR

0x34d commented 1 year ago

Bug : v3/fuzz_test.go in this you need to change the names.

To: FuzzParseDNv3, FuzzDecodeEscapedSymbolsv3, FuzzEscapeDNv3.

also in fuzz_test.go To: FuzzParseDNv0, FuzzDecodeEscapedSymbolsv0, FuzzEscapeDNv0.

And then in build.sh need to be updated.

0x34d commented 1 year ago

https://github.com/google/oss-fuzz/pull/10969

cpuschma commented 1 year ago

Oh you already opened the PR, alright. Thank you! I was about to remove the mirroring and separate this into a new PR, since the v3 and root directory are out of sync anyways.

TomSellers commented 1 year ago

Odd, so with the current code, the following works go test -v -fuzz ^'FuzzParseDNv0$' .

But this returns testing: warning: no fuzz tests to fuzz go test -v -fuzz '^FuzzParseDNv3$' .

Is this module related?

EDIT: Ah, so if I cd into v3 and run the fuzzer it works.

TomSellers commented 1 year ago

Note, after the changes the following had reasonable memory consumption (< 2 GB combined) when fuzzing across 10 cores.

go test -v -fuzz ^'FuzzParseDNv0$' .

(cd v3 && go test -v -fuzz '^FuzzParseDNv3$' .)

cpuschma commented 1 year ago

v3 was created back when Go Modules weren't a thing. Since then, both the root and v3 directory have been mostly in sync to not break any backwards compatibility. Imo, this is obsolete, since the oldest version we support is Go 1.14 anyways, which already had Go Module integrated.

To get things moving: I'll remove the part where I mirrored the fuzz_test.go into v3 so that the CI runs successfully. As noted in another PR to John Weldon, both directories are out of sync and as mentioned, maybe it's time to remove this duplicate (version older than Go 1.14 won't compile anyway due to a missing dependency).

0x34d commented 1 year ago

EDIT: Ah, so if I cd into v3 and run the fuzzer it works.

v3 is a different module, so you have to pushd and popd.