Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic: "bad character in CAA issuer value" #2030

Open
oherrala opened this issue Sep 20, 2023 · 2 comments
Open

Panic: "bad character in CAA issuer value" #2030

oherrala opened this issue Sep 20, 2023 · 2 comments

Comments

@oherrala
Copy link
Contributor

Running cargo-fuzz in this repo with #2025 PR included there's a crash:

% cargo +nightly fuzz run message

Message { header: Header { id: 12594, message_type: Response, op_code: Query, authoritative: false, truncation: false, recursion_desired: true, recursion_available: false, authentic_data: tr
ue, checking_disabled: false, response_code: Refused, query_count: 0, answer_count: 0, name_server_count: 0, additional_count: 1 }, queries: [], answers: [], name_servers: [], additionals: [
Record { name_labels: Name("."), rr_type: CAA, dns_class: IN, ttl: 3221225472, rdata: Some(CAA(CAA { issuer_critical: false, tag: Issue, value: Issuer(Some(Name("n.t")), [KeyValue { key: "po
", value: "lieyÿÿÿÿÿÿÿÿÿÿcvÀ" }]) })) }], signature: [], edns: None }                                                                                                                         
thread '<unnamed>' panicked at fuzz_targets/message.rs:29:17:                                                                                                                                 
Message failed to deserialize: ProtoError { kind: Msg("bad character in CAA issuer value: '\u{80}'") }

The payload:

Output of `std::fmt::Debug`:

        [49, 50, 129, 101, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 192, 0, 0, 0, 0, 32, 0, 5, 105, 115, 115, 117, 101, 110, 46, 116, 59, 32, 112, 111, 61, 108, 105, 101, 121, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 99, 118, 192]
% hexyl --color never fuzz/artifacts/message/crash-84dfeabab146929ed1b7509e12f55e0dce79ba92
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 31 32 81 65 00 00 00 00 ┊ 00 00 00 01 00 01 01 00 │12×e⋄⋄⋄⋄┊⋄⋄⋄•⋄••⋄│
│00000010│ 01 c0 00 00 00 00 20 00 ┊ 05 69 73 73 75 65 6e 2e │•×⋄⋄⋄⋄ ⋄┊•issuen.│
│00000020│ 74 3b 20 70 6f 3d 6c 69 ┊ 65 79 ff ff ff ff ff ff │t; po=li┊ey××××××│
│00000030│ ff ff ff ff 63 76 c0    ┊                         │××××cv× ┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘
@bluejekyll
Copy link
Member

I really need to come up with an easier way for us to import fuzz crash reports into the project. On this one, it looks like this might be a test failure? The data appears to fail deserialization due to valid errors in the stream. I thought the fuzzing impl dealt with that. I'll have to take a look.

@bluejekyll
Copy link
Member

Ah, I see, this appears to be a round-tripping issue. I wonder if that's ultimately important or not for us... I'm not sure it's catching what we are most concerned with fuzz, which is bad data coming in off the wire and crashing the deserialization or causing issues at that time. The fuzz target seems to trip up on this round-trip logic often, and I'm not sure if it's an important detail. That is, this is bad data, it shouldn't be valid to construct it...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants