Skip to content

test(fuzz): rsyncd.conf, auth response, incremental flist fuzz targets (FCV-3 followups)#4444

Merged
oferchen merged 1 commit into
masterfrom
test/fuzz-3-new-fcv-gaps
May 18, 2026
Merged

test(fuzz): rsyncd.conf, auth response, incremental flist fuzz targets (FCV-3 followups)#4444
oferchen merged 1 commit into
masterfrom
test/fuzz-3-new-fcv-gaps

Conversation

@oferchen
Copy link
Copy Markdown
Owner

@oferchen oferchen commented May 18, 2026

Summary

  • Three new fuzz targets closing high-priority gaps from PR docs(audit): FCV-3 protocol-parsing fuzz coverage gaps (#2316) #4407 (FCV-3 audit):
    • rsyncd_conf (pre-auth admin attack surface) drives RsyncdConfig::parse.
    • auth_response (pre-auth) drives both verify_client_response (challenge-reply verifier) and SecretsFile::parse (admin secrets file). A one-byte selector splits the corpus between the two surfaces.
    • incremental_flist (post-auth, pre-transfer) drives StreamingFileList::next_ready plus IncrementalFileList::finalize under both legacy (protocol 28) and INC_RECURSE (protocol 30 + CF_INC_RECURSE) wire modes.
  • Each target ships with a minimal seed corpus under fuzz/corpus/<target>/seed_basic.
  • Wires daemon into fuzz/Cargo.toml as a new path dep (default features off).
  • Trailing rustfmt cleanups in two existing fuzz harness files surfaced by cargo fmt over the crate.

API substitutions made

The audit prompt sketched the entry points as daemon::config::parse_conf, daemon::auth::verify_response, and protocol::flist::incremental::parse_segment. The actual public APIs differ slightly; nearest analogs used:

Suggested Used
daemon::config::parse_conf(&str) daemon::rsyncd_config::RsyncdConfig::parse(input: &str, path: &Path)
daemon::auth::verify_response(&[u8]) daemon::auth::verify_client_response(secret: &[u8], challenge: &str, response: &str, protocol_version: Option<u8>) plus daemon::auth::SecretsFile::parse(&str)
protocol::flist::incremental::parse_segment(&[u8]) protocol::flist::StreamingFileList::new(FileListReader, Cursor<&[u8]>).next_ready() plus IncrementalFileList::finalize()

The goal is bytes-in fuzz coverage of the named attack surface, which is preserved.

Test plan

  • cargo fmt clean on the three new files (verified via targeted rustfmt).
  • All three targets register as new [[bin]] entries in fuzz/Cargo.toml.
  • All three targets compile via cargo +nightly fuzz build <target> (CI-only).
  • Seed corpora present under fuzz/corpus/{rsyncd_conf,auth_response,incremental_flist}/seed_basic.

@oferchen oferchen force-pushed the test/fuzz-3-new-fcv-gaps branch from 7b85cea to 63b7118 Compare May 18, 2026 01:12
@github-actions github-actions Bot added the test label May 18, 2026
@oferchen oferchen force-pushed the test/fuzz-3-new-fcv-gaps branch from 63b7118 to 8e7cc64 Compare May 18, 2026 01:23
@oferchen oferchen merged commit b1361d2 into master May 18, 2026
2 checks passed
This was referenced May 18, 2026
Merged
Merged
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
docs(audit): FCV-16 rsyncd.conf line parser - no separate entry point (
4d54c9a 
…#2449) (#4492)

Audit confirms the rsyncd.conf parser has no public line / key-value sub-parser
in either the standalone `daemon::rsyncd_config` API or the daemon runtime
`daemon::sections::config_parsing` pathway. All per-directive, per-bool, and
per-list helpers are private to their parser modules; only the whole-file
entry points (`RsyncdConfig::parse`, `parse_config_modules`) are reachable.

The existing `fuzz/fuzz_targets/rsyncd_conf.rs` target landed in PR #4444
already exercises every line-level branch through the whole-file driver, so
FCV-16 is closed with no production-code change.
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
test(fuzz): rsyncd.conf, auth response, incremental flist fuzz target…
1ab6f0d 
…s (FCV-3 followups) (#4444)
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
docs(audit): FCV-16 rsyncd.conf line parser - no separate entry point (
33e436b 
…#2449) (#4492)

Audit confirms the rsyncd.conf parser has no public line / key-value sub-parser
in either the standalone `daemon::rsyncd_config` API or the daemon runtime
`daemon::sections::config_parsing` pathway. All per-directive, per-bool, and
per-list helpers are private to their parser modules; only the whole-file
entry points (`RsyncdConfig::parse`, `parse_config_modules`) are reachable.

The existing `fuzz/fuzz_targets/rsyncd_conf.rs` target landed in PR #4444
already exercises every line-level branch through the whole-file driver, so
FCV-16 is closed with no production-code change.
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
test(fuzz): rsyncd.conf, auth response, incremental flist fuzz target…
6e8cc0f 
…s (FCV-3 followups) (#4444)
oferchen added a commit that referenced this pull request May 18, 2026
@oferchen
docs(audit): FCV-16 rsyncd.conf line parser - no separate entry point (
a8a868f 
…#2449) (#4492)

Audit confirms the rsyncd.conf parser has no public line / key-value sub-parser
in either the standalone `daemon::rsyncd_config` API or the daemon runtime
`daemon::sections::config_parsing` pathway. All per-directive, per-bool, and
per-list helpers are private to their parser modules; only the whole-file
entry points (`RsyncdConfig::parse`, `parse_config_modules`) are reachable.

The existing `fuzz/fuzz_targets/rsyncd_conf.rs` target landed in PR #4444
already exercises every line-level branch through the whole-file driver, so
FCV-16 is closed with no production-code change.
@oferchen oferchen deleted the test/fuzz-3-new-fcv-gaps branch May 19, 2026 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oferchen