You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I generated the corresponding myproto.pb.go with the command protoc --gogofast_out=. myproto.proto.
I then used go-fuzz to fuzz the Unmarshal method of the Test message. It found a number of crashers, from which I then created a unit test as a baseline:
I then manually fixed the bugs in the generated source code. Out came the following diff:
--- myproto.pb.go.orig 2015-07-29 19:21:23.000000000 +0200+++ myproto.pb.go 2015-07-29 23:36:13.000000000 +0200@@ -13,7 +13,10 @@
*/
package myproto
-import proto "github.com/gogo/protobuf/proto"+import (+ "errors"+ proto "github.com/gogo/protobuf/proto"+)
import math "math"
import github.com_gogo_protobuf_proto "github.com/gogo/protobuf/proto"
@@ -368,6 +371,9 @@
break
}
}
+ if msglen < 0 {+ return errInvalidLength+ }
postIndex := iNdEx + msglen
if postIndex > l {
return io.ErrUnexpectedEOF
@@ -466,6 +472,11 @@
return nil
}
++var (+ errInvalidLength = errors.New("invalid length")+)+
func skipMyproto(data []byte) (n int, err error) {
l := len(data)
iNdEx := 0
@@ -511,6 +522,9 @@
break
}
}
+ if length < 0 {+ return 0, errInvalidLength+ }
iNdEx += length
return iNdEx, nil
case 3:
I hope you find this information useful and can reproduce the issue with this information. FTR, I haven't conducted a full check of all protobuf data types, or checked any of the other generators.
The text was updated successfully, but these errors were encountered:
awalterschulze
changed the title
gogofast generates Unmarshal code that can panic
Bug: generated Unmarshal code can panic, more length checks needed
Jul 30, 2015
I added my own fuzzing to the generated tests.
It eventually caught your bugs, but before that it caught many other non existent "length" < 0 checks.
I also fixed all these bugs. 8edb24c
Thank you very much for your efforts :)
I played a bit with go-fuzz and found the following an issue in gogofast where the generated code can't deal with invalid input and panics.
Given this protobuf file named
myproto.proto
:I generated the corresponding
myproto.pb.go
with the commandprotoc --gogofast_out=. myproto.proto
.I then used go-fuzz to fuzz the Unmarshal method of the Test message. It found a number of crashers, from which I then created a unit test as a baseline:
I then manually fixed the bugs in the generated source code. Out came the following diff:
I hope you find this information useful and can reproduce the issue with this information. FTR, I haven't conducted a full check of all protobuf data types, or checked any of the other generators.
The text was updated successfully, but these errors were encountered: