Skip to content

docs(audit): FCV-3 protocol-parsing fuzz coverage gaps (#2316)#4407

Merged
oferchen merged 1 commit into
masterfrom
feature/fcv-3-coverage-gap-audit
May 18, 2026
Merged

docs(audit): FCV-3 protocol-parsing fuzz coverage gaps (#2316)#4407
oferchen merged 1 commit into
masterfrom
feature/fcv-3-coverage-gap-audit

Conversation

@oferchen
Copy link
Copy Markdown
Owner

@oferchen oferchen commented May 18, 2026

Summary

  • Walk every protocol/filter/checksum/compress/batch/daemon byte-parsing entry point and classify as COVERED / PARTIAL / MISSING against the existing fuzz target inventory.
  • Markdown table + priority recommendations ranked by attack-surface exposure (pre-auth > post-auth > authenticated).
  • No new fuzz targets here - those are tracked as separate FCV follow-ups.

Test plan

  • cargo fmt --all clean

@github-actions github-actions Bot added the documentation Improvements or additions to documentation label May 18, 2026
@oferchen oferchen force-pushed the feature/fcv-3-coverage-gap-audit branch from 78b51a5 to 34e0bb2 Compare May 18, 2026 00:56
This was referenced May 18, 2026
Merged
Merged
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
test(fuzz): rsyncd.conf, auth response, incremental flist fuzz target…
63b7118 
…s (FCV-3 followups)

Adds three fuzz targets closing the highest-priority gaps from the
FCV-3 audit (PR #4407):

- rsyncd_conf drives RsyncdConfig::parse, the daemon admin config
  parser reached on startup and reload.
- auth_response drives both verify_client_response (pre-auth challenge
  reply verifier) and SecretsFile::parse (admin secrets file).
- incremental_flist drives StreamingFileList plus IncrementalFileList
  finalize, exercising the post-auth pre-transfer file-list state
  machine under both legacy and INC_RECURSE wire modes.

Each target ships with a minimal seed corpus so libFuzzer has a
starting point. Daemon is wired in as a new path dep on fuzz/Cargo.toml.

Also picks up trailing rustfmt cleanups in two existing fuzz targets
that were flagged when running cargo fmt over the crate.
@oferchen oferchen force-pushed the feature/fcv-3-coverage-gap-audit branch from 34e0bb2 to 053954b Compare May 18, 2026 01:14
@oferchen oferchen force-pushed the feature/fcv-3-coverage-gap-audit branch from 053954b to a02366e Compare May 18, 2026 01:16
@oferchen oferchen merged commit c839b22 into master May 18, 2026
9 checks passed
This was referenced May 18, 2026
Merged
Merged
Merged
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
test(fuzz): vstring parser fuzz target (FCV-14 #2441) (#4486)
612c53e 
The vstring codec is exchanged during protocol 30+ capability negotiation,
well before authentication completes, making any panic in the reader a
pre-auth remote attack surface (FCV-3 audit, PR #4407).

Add a libFuzzer target that drives `read_vstring` through the public
`negotiate_capabilities` entry point, with a selector byte that fans out
across protocol versions and role flags so both the one-byte and two-byte
length encodings and the UTF-8 validation path are exercised. Register the
new bin in fuzz/Cargo.toml and seed the corpus with a known-good vstring.
@oferchen oferchen mentioned this pull request May 18, 2026
Merged
2 tasks
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
docs(audit): FCV-3 fuzz coverage gaps (#2316) (#4407)
48c6e2c
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
test(fuzz): vstring parser fuzz target (FCV-14 #2441) (#4486)
a7ef1e8 
The vstring codec is exchanged during protocol 30+ capability negotiation,
well before authentication completes, making any panic in the reader a
pre-auth remote attack surface (FCV-3 audit, PR #4407).

Add a libFuzzer target that drives `read_vstring` through the public
`negotiate_capabilities` entry point, with a selector byte that fans out
across protocol versions and role flags so both the one-byte and two-byte
length encodings and the UTF-8 validation path are exercised. Register the
new bin in fuzz/Cargo.toml and seed the corpus with a known-good vstring.
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
docs(audit): FCV-3 fuzz coverage gaps (#2316) (#4407)
812ea34
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
test(fuzz): vstring parser fuzz target (FCV-14 #2441) (#4486)
0c71ee6 
The vstring codec is exchanged during protocol 30+ capability negotiation,
well before authentication completes, making any panic in the reader a
pre-auth remote attack surface (FCV-3 audit, PR #4407).

Add a libFuzzer target that drives `read_vstring` through the public
`negotiate_capabilities` entry point, with a selector byte that fans out
across protocol versions and role flags so both the one-byte and two-byte
length encodings and the UTF-8 validation path are exercised. Register the
new bin in fuzz/Cargo.toml and seed the corpus with a known-good vstring.
@oferchen oferchen deleted the feature/fcv-3-coverage-gap-audit branch May 19, 2026 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oferchen