tests: Avoid fuzzer-specific nullptr dereference in libevent when handling PROXY requests #19140

pull practicalswift wants to merge 1 commits into bitcoin:master from practicalswift:fuzzers-libevent-proxy changing 1 files +9 −1
  1. practicalswift commented at 11:54 AM on June 2, 2020: contributor

    Avoid constructing requests that will be interpreted by libevent as PROXY requests to avoid triggering a nullptr dereference. Split out from #19074 as suggested by MarcoFalke.

    The dereference (req->evcon->http_server) takes place in evhttp_parse_request_line and is a consequence of our hacky but necessary use of the internal function evhttp_parse_firstline_ in the http_request fuzzing harness.

    The suggested workaround is not aesthetically pleasing, but it successfully avoids the troublesome code path.

    " http:// HTTP/1.1\n" was a crashing input prior to this workaround.

    Before this PR:

    $ echo " http:// HTTP/1.1" > input
$ src/test/fuzz/http_request input
src/test/fuzz/http_request: Running 1 inputs 1 time(s) each.
Running: input
AddressSanitizer:DEADLYSIGNAL
=================================================================
==27905==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000108 (pc 0x55a169b7e053 bp 0x7ffd452f1160 sp 0x7ffd452f10e0 T0)
==27905==The signal is caused by a READ memory access.
==27905==Hint: address points to the zero page.
    [#0](/bitcoin-bitcoin/0/) 0x55a169b7e053 in evhttp_parse_request_line depends/work/build/x86_64-pc-linux-gnu/libevent/2.1.11-stable-36daee64dc1/http.c:1883:37
    [#1](/bitcoin-bitcoin/1/) 0x55a169b7d9ae in evhttp_parse_firstline_ depends/work/build/x86_64-pc-linux-gnu/libevent/2.1.11-stable-36daee64dc1/http.c:2041:7
    [#2](/bitcoin-bitcoin/2/) 0x55a1687f624e in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/http_request.cpp:51:9
…
$ echo $?
1

    After this PR:

    $ echo " http:// HTTP/1.1" > input
$ src/test/fuzz/http_request input
src/test/fuzz/http_request: Running 1 inputs 1 time(s) each.
Running: input
Executed input in 0 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***
$ echo $?
0

    See doc/fuzzing.md for information on how to fuzz Bitcoin Core. Don't forget to contribute any coverage increasing inputs you find to the Bitcoin Core fuzzing corpus repo.

    Happy fuzzing :)

  2. tests: Avoid fuzzer-specific nullptr dereference in libevent when handling PROXY requests 20d31bdd92
  3. fanquake added the label Tests on Jun 2, 2020
  4. fanquake commented at 2:49 AM on June 4, 2020: member

    @theStack you might be interested in this?

  5. practicalswift commented at 8:49 PM on July 10, 2020: contributor

    Any chance of getting this merged? It is a bit cumbersome to wade through tons of spurious http_request crashes when fuzzing Bitcoin Core master :)

    Note that this is a workaround for a bug (of mine) in the fuzzing harness -- not in libevent -- so should be entirely safe to merge. Touches only src/test/fuzz/http_request.cpp.

  6. MarcoFalke merged this on Jul 10, 2020
  7. MarcoFalke closed this on Jul 10, 2020
  8. sidhujag referenced this in commit 8c57f3df6f on Jul 11, 2020
  9. Fabcien referenced this in commit dafd2b7224 on Jan 21, 2021
  10. practicalswift deleted the branch on Apr 10, 2021
  11. PastaPastaPasta referenced this in commit e008b546e3 on Jul 17, 2022
  12. DrahtBot locked this on Aug 16, 2022
Contributors
practicalswiftfanquake
Labels
Tests
Linked (view graph)
#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)#2 Long-term, safe, store-of-value#19074 tests: Use BasicTestingSetup to initialise fuzzing environment
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-16 15:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me