coturn

coturn TURN server project

History

Pavel Punsky 301415d848 Unblock fuzz coverage for is_http and rare STUN attributes (#1884 ) OSS-Fuzz introspector flags three blockers the fuzzer cannot reach on its own: 1. findstr() in src/client/ns_turn_msg.c is gated by is_http(), which requires GET/POST/PUT/DELETE prefix + " HTTP/" + "\r\n\r\n". The fuzzer's binary STUN seeds never synthesize a valid HTTP frame. 2. stun_attr_get_reservation_token_value() and stun_attr_get_response_port_str() are called from harness_attr_iter only when the input contains the matching attribute type. Neither appears in the existing seed corpus. Add HTTP framing keywords to fuzzing/stun.dict and four new seed files covering both gaps: - seed_http_get.raw: minimal "GET / HTTP/1.1\r\nHost: x\r\n\r\n" - seed_http_post_clen.raw: POST with Content-Length to drive the strtoul branch in is_http - seed_reservation_token.raw: STUN allocate response with an 8-byte RESERVATION-TOKEN attribute - seed_response_port.raw: STUN binding request with a 4-byte RESPONSE-PORT attribute Each new STUN seed validated against the real parsers (stun_get_message_len_str, stun_attr_get_first_by_type_str, is_http) to confirm it reaches the targeted branch. The corpus zips also drop pre-existing __MACOSX/ and .DS_Store entries that had snuck in during a prior macOS zip step; net file count rises (24 -> 28 in FuzzStun, 4 -> 8 in FuzzStunClient) while archive size shrinks because of the junk removal.	1 week ago
..
FuzzStunClient_seed_corpus.zip	Unblock fuzz coverage for is_http and rare STUN attributes (#1884 )	1 week ago
FuzzStun_seed_corpus.zip	Unblock fuzz coverage for is_http and rare STUN attributes (#1884 )	1 week ago

Unblock fuzz coverage for is_http and rare STUN attributes (#1884 )

OSS-Fuzz introspector flags three blockers the fuzzer cannot reach on
its own:

1. findstr() in src/client/ns_turn_msg.c is gated by is_http(), which
requires GET/POST/PUT/DELETE prefix + " HTTP/" + "\r\n\r\n". The
fuzzer's binary STUN seeds never synthesize a valid HTTP frame.

2. stun_attr_get_reservation_token_value() and
stun_attr_get_response_port_str() are called from harness_attr_iter only
when the input contains the matching attribute type. Neither appears in
the existing seed corpus.

Add HTTP framing keywords to fuzzing/stun.dict and four new seed files
covering both gaps:

  - seed_http_get.raw: minimal "GET / HTTP/1.1\r\nHost: x\r\n\r\n"
- seed_http_post_clen.raw: POST with Content-Length to drive the strtoul
branch in is_http
- seed_reservation_token.raw: STUN allocate response with an 8-byte
RESERVATION-TOKEN attribute
- seed_response_port.raw: STUN binding request with a 4-byte
RESPONSE-PORT attribute

Each new STUN seed validated against the real parsers
(stun_get_message_len_str, stun_attr_get_first_by_type_str, is_http) to
confirm it reaches the targeted branch.

The corpus zips also drop pre-existing __MACOSX/ and .DS_Store entries
that had snuck in during a prior macOS zip step; net file count rises
(24 -> 28 in FuzzStun, 4 -> 8 in FuzzStunClient) while archive size
shrinks because of the junk removal.

1 week ago

FuzzStunClient_seed_corpus.zip

Unblock fuzz coverage for is_http and rare STUN attributes (#1884 )

1 week ago

FuzzStun_seed_corpus.zip

Unblock fuzz coverage for is_http and rare STUN attributes (#1884 )

1 week ago