diff --git a/vendor.mod b/vendor.mod index 896e44bd32..5bd2e78c24 100644 --- a/vendor.mod +++ b/vendor.mod @@ -10,7 +10,7 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 cloud.google.com/go/logging v1.7.0 code.cloudfoundry.org/clock v1.0.0 - github.com/AdaLogics/go-fuzz-headers v0.0.0-20221118232415-3345c89a7c72 + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 github.com/Graylog2/go-gelf v0.0.0-20191017102106-1550ee647df0 github.com/Microsoft/go-winio v0.5.2 diff --git a/vendor.sum b/vendor.sum index bf3a54cdaf..50e990ba7f 100644 --- a/vendor.sum +++ b/vendor.sum @@ -61,8 +61,8 @@ contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcig dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= git.apache.org/thrift.git v0.12.0/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= -github.com/AdaLogics/go-fuzz-headers v0.0.0-20221118232415-3345c89a7c72 h1:kq78byqmxX6R9uk4uN3HD2F5tkZJAZMauuLSkNPS8to= -github.com/AdaLogics/go-fuzz-headers v0.0.0-20221118232415-3345c89a7c72/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0= github.com/AkihiroSuda/containerd-fuse-overlayfs v1.0.0/go.mod h1:0mMDvQFeLbbn1Wy8P2j3hwFhqBq+FKn8OZPno8WLmp8= github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuEd+YuKoUiazDC/N96FiDEU= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= diff --git a/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go b/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go index 16200a100e..fdde08a75c 100644 --- a/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go +++ b/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go @@ -1,3 +1,17 @@ +// Copyright 2023 The go-fuzz-headers Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package gofuzzheaders import ( @@ -18,7 +32,10 @@ import ( securejoin "github.com/cyphar/filepath-securejoin" ) -var MaxTotalLen uint32 = 2000000 +var ( + MaxTotalLen uint32 = 2000000 + maxDepth = 100 +) func SetMaxTotalLen(newLen uint32) { MaxTotalLen = newLen @@ -32,6 +49,7 @@ type ConsumeFuzzer struct { NumberOfCalls int position uint32 fuzzUnexportedFields bool + curDepth int Funcs map[reflect.Type]reflect.Value } @@ -44,6 +62,7 @@ func NewConsumer(fuzzData []byte) *ConsumeFuzzer { data: fuzzData, dataTotal: uint32(len(fuzzData)), Funcs: make(map[reflect.Type]reflect.Value), + curDepth: 0, } } @@ -129,11 +148,18 @@ func (f *ConsumeFuzzer) setCustom(v reflect.Value) error { } func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error { + if f.curDepth >= maxDepth { + // return err or nil here? + return nil + } + f.curDepth++ + defer func() { f.curDepth-- }() + // We check if we should check for custom functions if customFunctions && e.IsValid() && e.CanAddr() { err := f.setCustom(e.Addr()) - if err == nil { - return nil + if err != nil { + return err } } @@ -363,18 +389,11 @@ func (f *ConsumeFuzzer) GetUint16() (uint16, error) { } func (f *ConsumeFuzzer) GetUint32() (uint32, error) { - u32, err := f.GetNBytes(4) + i, err := f.GetInt() if err != nil { - return 0, err + return uint32(0), err } - littleEndian, err := f.GetBool() - if err != nil { - return 0, err - } - if littleEndian { - return binary.LittleEndian.Uint32(u32), nil - } - return binary.BigEndian.Uint32(u32), nil + return uint32(i), nil } func (f *ConsumeFuzzer) GetUint64() (uint64, error) { @@ -431,7 +450,7 @@ func (f *ConsumeFuzzer) GetString() (string, error) { if f.position > MaxTotalLen { return "nil", errors.New("created too large a string") } - byteBegin := f.position - 1 + byteBegin := f.position if byteBegin >= f.dataTotal { return "nil", errors.New("not enough bytes to create string") } @@ -476,7 +495,7 @@ func returnTarBytes(buf []byte) ([]byte, error) { } fileCounter++ } - if fileCounter > 4 { + if fileCounter >= 1 { return buf, nil } return nil, fmt.Errorf("not enough files were created\n") @@ -546,27 +565,77 @@ func setTarHeaderTypeflag(hdr *tar.Header, f *ConsumeFuzzer) error { return nil } +func tooSmallFileBody(length uint32) bool { + if length < 2 { + return true + } + if length < 4 { + return true + } + if length < 10 { + return true + } + if length < 100 { + return true + } + if length < 500 { + return true + } + if length < 1000 { + return true + } + if length < 2000 { + return true + } + if length < 4000 { + return true + } + if length < 8000 { + return true + } + if length < 16000 { + return true + } + if length < 32000 { + return true + } + if length < 64000 { + return true + } + if length < 128000 { + return true + } + if length < 264000 { + return true + } + return false +} + func (f *ConsumeFuzzer) createTarFileBody() ([]byte, error) { length, err := f.GetUint32() if err != nil { return nil, errors.New("not enough bytes to create byte array") } + shouldUseLargeFileBody, err := f.GetBool() + if err != nil { + return nil, errors.New("not enough bytes to check long file body") + } + + if shouldUseLargeFileBody && tooSmallFileBody(length) { + return nil, errors.New("File body was too small") + } + // A bit of optimization to attempt to create a file body // when we don't have as many bytes left as "length" remainingBytes := f.dataTotal - f.position if remainingBytes == 0 { return nil, errors.New("created too large a string") } - if remainingBytes < 50 { - length = length % remainingBytes - } else if f.dataTotal < 500 { - length = length % f.dataTotal - } if f.position+length > MaxTotalLen { return nil, errors.New("created too large a string") } - byteBegin := f.position - 1 + byteBegin := f.position if byteBegin >= f.dataTotal { return nil, errors.New("not enough bytes to create byte array") } @@ -606,7 +675,7 @@ func (f *ConsumeFuzzer) getTarFilename() (string, error) { if f.position > MaxTotalLen { return "nil", errors.New("created too large a string") } - byteBegin := f.position - 1 + byteBegin := f.position if byteBegin >= f.dataTotal { return "nil", errors.New("not enough bytes to create string") } @@ -669,7 +738,7 @@ func (f *ConsumeFuzzer) TarBytes() ([]byte, error) { return returnTarBytes(buf.Bytes()) } } - return returnTarBytes(buf.Bytes()) + return buf.Bytes(), nil } // CreateFiles creates pseudo-random files in rootDir. diff --git a/vendor/github.com/AdaLogics/go-fuzz-headers/funcs.go b/vendor/github.com/AdaLogics/go-fuzz-headers/funcs.go index 40273c13a8..8ca3a61b87 100644 --- a/vendor/github.com/AdaLogics/go-fuzz-headers/funcs.go +++ b/vendor/github.com/AdaLogics/go-fuzz-headers/funcs.go @@ -1,3 +1,17 @@ +// Copyright 2023 The go-fuzz-headers Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package gofuzzheaders import ( diff --git a/vendor/github.com/AdaLogics/go-fuzz-headers/sql.go b/vendor/github.com/AdaLogics/go-fuzz-headers/sql.go index 9290aac3a4..2afd49f848 100644 --- a/vendor/github.com/AdaLogics/go-fuzz-headers/sql.go +++ b/vendor/github.com/AdaLogics/go-fuzz-headers/sql.go @@ -1,3 +1,17 @@ +// Copyright 2023 The go-fuzz-headers Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package gofuzzheaders import ( diff --git a/vendor/modules.txt b/vendor/modules.txt index f151ee268c..70d4f10385 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -21,7 +21,7 @@ cloud.google.com/go/longrunning/autogen/longrunningpb # code.cloudfoundry.org/clock v1.0.0 ## explicit code.cloudfoundry.org/clock -# github.com/AdaLogics/go-fuzz-headers v0.0.0-20221118232415-3345c89a7c72 +# github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 ## explicit; go 1.18 github.com/AdaLogics/go-fuzz-headers # github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1