diff options
| author | Daisuke Nojiri <dnojiri@chromium.org> | 2021-04-10 08:22:05 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-06-23 20:01:49 +0000 |
| commit | 87f59b57817d5800fd929938b2dca914bad14d2c (patch) | |
| tree | 31c09fac0df1518ab163e7a4f9eb6cbca1c15d09 | |
| parent | 3c74b3a868c2dc955d5396693967ac87bc0f9b93 (diff) | |
| download | chrome-ec-87f59b57817d5800fd929938b2dca914bad14d2c.tar.gz | |
pchg_fuzz: Ignore too large input
This patch makes test_fuzz_one_input return immediately if the input
data is larger than the buffer size (of the harness).
This patch also makes the test include the message header size to
compute the input buffer size so that it can properly process
MAX_MESSAGES messages.
BUG=b:191868799, b:190841496
BRANCH=None
TEST=make run-pchg_fuzz
Change-Id: Ifb51e989fe62bfce79da713b3f612c080c9c19de
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2983717
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
| -rw-r--r-- | fuzz/pchg_fuzz.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/fuzz/pchg_fuzz.c b/fuzz/pchg_fuzz.c index 301a592617..97dbca74c4 100644 --- a/fuzz/pchg_fuzz.c +++ b/fuzz/pchg_fuzz.c @@ -40,8 +40,9 @@ static pthread_cond_t done_cond; static pthread_mutex_t lock; #define MAX_MESSAGES 8 -static uint8_t input[ - MAX_MESSAGES * 256 * member_size(struct ctn730_msg, length)]; +#define MAX_MESSAGE_SIZE (sizeof(struct ctn730_msg) \ + + member_size(struct ctn730_msg, length) * 256) +static uint8_t input[MAX_MESSAGE_SIZE * MAX_MESSAGES]; static uint8_t *head, *tail; static bool data_available; @@ -102,7 +103,8 @@ void run_test(int argc, char **argv) int test_fuzz_one_input(const uint8_t *data, unsigned int size) { - if (size < sizeof(struct ctn730_msg)) + /* We're not interested in too small or too large input. */ + if (size < sizeof(struct ctn730_msg) || sizeof(input) < size) return 0; pthread_mutex_init(&lock, NULL); |