Skip to content

Commit

Permalink
fuzzing: fix Null-dereference 69754, 69745, 69741
Browse files Browse the repository at this point in the history
Signed-off-by: Arjun <pkillarjun@protonmail.com>
  • Loading branch information
pkillarjun committed Jun 19, 2024
1 parent 851363f commit 450b9f6
Showing 3 changed files with 28 additions and 1 deletion.
8 changes: 8 additions & 0 deletions fuzzing/nxt_http_controller_fuzz.c
Original file line number Diff line number Diff line change
@@ -76,6 +76,14 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
goto failed;
}

r_controller->conn = nxt_mp_zget(mp, sizeof(nxt_conn_t));
if (r_controller->conn == NULL) {
goto failed;
}

nxt_main_log.level = NXT_LOG_ALERT;
r_controller->conn->log = nxt_main_log;

nxt_http_fields_process(rp.fields, &nxt_controller_fields_hash,
r_controller);

2 changes: 2 additions & 0 deletions fuzzing/nxt_http_h1p_fuzz.c
Original file line number Diff line number Diff line change
@@ -75,6 +75,8 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
goto failed;
}

r_h1p->mem_pool = mp;

nxt_http_fields_process(rp.fields, &nxt_h1p_fields_hash, r_h1p);

failed:
19 changes: 18 additions & 1 deletion fuzzing/nxt_json_fuzz.c
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@

#include <nxt_main.h>
#include <nxt_conf.h>

#include <nxt_router.h>

#define KMININPUTLENGTH 2
#define KMAXINPUTLENGTH 1024
@@ -33,18 +33,30 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
nxt_mp_t *mp;
nxt_str_t input;
nxt_thread_t *thr;
nxt_runtime_t *rt;
nxt_conf_value_t *conf;
nxt_conf_validation_t vldt;

if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
return 0;
}

thr = nxt_thread();

mp = nxt_mp_create(1024, 128, 256, 32);
if (mp == NULL) {
return 0;
}

rt = nxt_mp_zget(mp, sizeof(nxt_runtime_t));
if (rt == NULL) {
goto failed;
}

thr->runtime = rt;
rt->mem_pool = mp;

input.start = (u_char *)data;
input.length = size;

@@ -64,6 +76,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
vldt.conf_pool = mp;
vldt.ver = NXT_VERNUM;

rt->languages = nxt_array_create(mp, 1, sizeof(nxt_app_lang_module_t));
if (rt->languages == NULL) {
goto failed;
}

nxt_conf_validate(&vldt);

nxt_mp_destroy(vldt.pool);

0 comments on commit 450b9f6

Please sign in to comment.