@ivanpustogarov and I found a few bugs while using AFL to fuzz the first authentication step of libstrophe in SASL mode (although these issues can be applicable to the nearby TLS code as well).
For a particular initial server response, libstrophe will crash with:
received signal SIGSEGV, Segmentation fault.
in _handle_features (conn=0x61d970, stanza=<optimized out>, userdata=<optimized out>) at src/auth.c:240
240 if (child && (strcmp(xmpp_stanza_get_ns(child), XMPP_NS_SASL) == 0)) {
An example response from a server that would crash libstrophe:
Specifically, it crashes in strcmp because strcmp receives NULL from xmpp_stanza_get_ns(child). This can be caused by there being no xmlns attribute in mechanisms.
Similarly, strcasecmp in auth.c:245 crashes if xmpp_stanza_get_text(mech) returns NULL. Example server response that triggers this is:
@ivanpustogarov and I found a few bugs while using AFL to fuzz the first authentication step of libstrophe in SASL mode (although these issues can be applicable to the nearby TLS code as well).
For a particular initial server response, libstrophe will crash with:
An example response from a server that would crash libstrophe:
Specifically, it crashes in
strcmp
becausestrcmp
receives NULL fromxmpp_stanza_get_ns(child)
. This can be caused by there being noxmlns
attribute inmechanisms
.Similarly,
strcasecmp
inauth.c:245
crashes ifxmpp_stanza_get_text(mech)
returns NULL. Example server response that triggers this is: