Better fuzz testing and fix several bugs it found

Fix infinite loop in AuthenticationSASL.Decode Fix panic in CommandComplete.Decode Fix panic in DataRow.Decode Fix panic in NotificationResponse.Decode
2022-07-23 16:13:06 -05:00 · 2022-07-23 16:13:06 -05:00 · 7f382f5190
parent 9d0f27bc4b
commit 7f382f5190
11 changed files with 67 additions and 16 deletions
--- a/pgproto3/authentication_sasl.go
+++ b/pgproto3/authentication_sasl.go
@ -36,11 +36,12 @@ func (dst *AuthenticationSASL) Decode(src []byte) error {
 	authMechanisms := src[4:]
 	for len(authMechanisms) > 1 {
 		idx := bytes.IndexByte(authMechanisms, 0)
-		if idx > 0 {
+		if idx == -1 {
 			return &invalidMessageFormatErr{messageType: "AuthenticationSASL", details: "unterminated string"}
 		}
 		dst.AuthMechanisms = append(dst.AuthMechanisms, string(authMechanisms[:idx]))
 		authMechanisms = authMechanisms[idx+1:]
 	}
 	}
 	return nil
 }
--- a/pgproto3/command_complete.go
+++ b/pgproto3/command_complete.go
@ -18,8 +18,11 @@ func (*CommandComplete) Backend() {}
 // type identifier and 4 byte message length.
 func (dst *CommandComplete) Decode(src []byte) error {
 	idx := bytes.IndexByte(src, 0)
 	if idx == -1 {
 		return &invalidMessageFormatErr{messageType: "CommandComplete", details: "unterminated string"}
 	}
 	if idx != len(src)-1 {
-		return &invalidMessageFormatErr{messageType: "CommandComplete"}
+		return &invalidMessageFormatErr{messageType: "CommandComplete", details: "string terminated too early"}
 	}
 	dst.CommandTag = src[:idx]
--- a/pgproto3/data_row.go
+++ b/pgproto3/data_row.go
@ -43,19 +43,19 @@ func (dst *DataRow) Decode(src []byte) error {
 			return &invalidMessageFormatErr{messageType: "DataRow"}
 		}
-		msgSize := int(int32(binary.BigEndian.Uint32(src[rp:])))
+		valueLen := int(int32(binary.BigEndian.Uint32(src[rp:])))
 		rp += 4
 		// null
-		if msgSize == -1 {
+		if valueLen == -1 {
 			dst.Values[i] = nil
 		} else {
-			if len(src[rp:]) < msgSize {
+			if len(src[rp:]) < valueLen || valueLen < 0 {
 				return &invalidMessageFormatErr{messageType: "DataRow"}
 			}
-			dst.Values[i] = src[rp : rp+msgSize : rp+msgSize]
+			dst.Values[i] = src[rp : rp+valueLen : rp+valueLen]
-			rp += msgSize
+			rp += valueLen
 		}
 	}
--- a/pgproto3/fuzz_test.go
+++ b/pgproto3/fuzz_test.go
@ -4,22 +4,50 @@ import (
 	"bytes"
 	"testing"
 	"github.com/jackc/pgx/v5/internal/pgio"
 	"github.com/jackc/pgx/v5/pgproto3"
 	"github.com/stretchr/testify/require"
 )
 func FuzzFrontend(f *testing.F) {
-	testcases := [][]byte{
+	testcases := []struct {
-		{'Z', 0, 0, 0, 5},
+		msgType byte
 		msgLen  uint32
 		msgBody []byte
 	}{
 		{
 			msgType: 'Z',
 			msgLen:  2,
 			msgBody: []byte{'I'},
 		},
 		{
 			msgType: 'Z',
 			msgLen:  5,
 			msgBody: []byte{'I'},
 		},
 	}
 	for _, tc := range testcases {
-		f.Add(tc)
+		f.Add(tc.msgType, tc.msgLen, tc.msgBody)
 	}
-	f.Fuzz(func(t *testing.T, encodedMsg []byte) {
+	f.Fuzz(func(t *testing.T, msgType byte, msgLen uint32, msgBody []byte) {
 		// Prune any msgLen > len(msgBody) because they would hang the test waiting for more input.
 		if int(msgLen) > len(msgBody)+4 {
 			return
 		}
 		// Prune any messages that are too long.
 		if msgLen > 128 || len(msgBody) > 128 {
 			return
 		}
 		r := &bytes.Buffer{}
 		w := &bytes.Buffer{}
 		fe := pgproto3.NewFrontend(r, w)
 		var encodedMsg []byte
 		encodedMsg = append(encodedMsg, msgType)
 		encodedMsg = pgio.AppendUint32(encodedMsg, msgLen)
 		encodedMsg = append(encodedMsg, msgBody...)
 		_, err := r.Write(encodedMsg)
 		require.NoError(t, err)
--- a/pgproto3/notification_response.go
+++ b/pgproto3/notification_response.go
@ -22,6 +22,10 @@ func (*NotificationResponse) Backend() {}
 func (dst *NotificationResponse) Decode(src []byte) error {
 	buf := bytes.NewBuffer(src)
 	if buf.Len() < 4 {
 		return &invalidMessageFormatErr{messageType: "NotificationResponse", details: "too short"}
 	}
 	pid := binary.BigEndian.Uint32(buf.Next(4))
 	b, err := buf.ReadBytes(0)
--- a/pgproto3/pgproto3.go
+++ b/pgproto3/pgproto3.go
@ -46,10 +46,11 @@ func (e *invalidMessageLenErr) Error() string {
 type invalidMessageFormatErr struct {
 	messageType string
 	details     string
 }
 func (e *invalidMessageFormatErr) Error() string {
-	return fmt.Sprintf("%s body is invalid", e.messageType)
+	return fmt.Sprintf("%s body is invalid %s", e.messageType, e.details)
 }
 type writeError struct {
--- a/pgproto3/testdata/fuzz/FuzzFrontend/39c5e864da4707fc15fea48f7062d6a07796fdc43b33e0ba9dbd7074a0211fa6
+++ b/pgproto3/testdata/fuzz/FuzzFrontend/39c5e864da4707fc15fea48f7062d6a07796fdc43b33e0ba9dbd7074a0211fa6
@ -0,0 +1,4 @@
 go test fuzz v1
 byte('A')
 uint32(5)
 []byte("0")
--- a/pgproto3/testdata/fuzz/FuzzFrontend/65d91093341a68b16f04605e392b0501847a9b35d3857e67872046dbdc04913e
+++ b/pgproto3/testdata/fuzz/FuzzFrontend/65d91093341a68b16f04605e392b0501847a9b35d3857e67872046dbdc04913e
@ -1,2 +0,0 @@
 go test fuzz v1
 []byte("0\x00\x00\x00\x02")
--- a/pgproto3/testdata/fuzz/FuzzFrontend/9b06792b1aaac8a907dbfa04d526ae14326c8573b7409032caac8461e83065f7
+++ b/pgproto3/testdata/fuzz/FuzzFrontend/9b06792b1aaac8a907dbfa04d526ae14326c8573b7409032caac8461e83065f7
@ -0,0 +1,4 @@
 go test fuzz v1
 byte('D')
 uint32(21)
 []byte("00\xb300000000000000")
--- a/pgproto3/testdata/fuzz/FuzzFrontend/a661fb98e802839f0a7361160fbc6e28794612a411d00bde104364ee281c4214
+++ b/pgproto3/testdata/fuzz/FuzzFrontend/a661fb98e802839f0a7361160fbc6e28794612a411d00bde104364ee281c4214
@ -0,0 +1,4 @@
 go test fuzz v1
 byte('C')
 uint32(4)
 []byte("0")
--- a/pgproto3/testdata/fuzz/FuzzFrontend/fc98dcd487a5173b38763a5f7dd023933f3a86ab566e3f2b091eb36248107eb4
+++ b/pgproto3/testdata/fuzz/FuzzFrontend/fc98dcd487a5173b38763a5f7dd023933f3a86ab566e3f2b091eb36248107eb4
@ -0,0 +1,4 @@
 go test fuzz v1
 byte('R')
 uint32(13)
 []byte("\x00\x00\x00\n0\x12\xebG\x8dI']G\xdac\x95\xb7\x18\xb0\x02\xe8m\xc2\x00\xef\x03\x12\x1b\xbdj\x10\x9f\xf9\xeb\xb8")
		`@ -1,2 +0,0 @@`
			`go test fuzz v1`
			`[]byte("0\x00\x00\x00\x02")`