Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on unwrapping of None value #2

Closed
neosilky opened this issue Mar 24, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@neosilky
Copy link

commented Mar 24, 2017

Found using cargo-fuzz.

It seems v[2].content on line 170 of snmp.rs is Boolean(true) which cannot be turned into a slice and fails.

extern crate snmp_parser;

fn main() {
    let data : &[u8] = b"01\x02\x02~\xfd\x04(TTY00\x02\x02\xfe\xfd\xfd(ET\xab\xab\xab\x02\x02\x020\x02XXX\xff\xff\xff\xff\xff\xffXX\xff\xff\xff\xff\xff\x01\x00\x00\x01\x00\x00\x00\x00\xfdTN\xab\xab\xab\xab\xab\xc6\xc6\xab";
    let _ = snmp_parser::parse_snmp_v1(data);
}
thread '<unnamed>' panicked at 'called `Option::unwrap()` on a `None` value', /checkout/src/libcore/option.rs:329
stack backtrace:
   0:     0x55820356ae13 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x558203567764 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x55820356bde7 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x55820356b96b - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x55820356c24b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x55820356c124 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x55820356c059 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x55820356bfe7 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x55820365e6fd - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x55820365e634 - core::panicking::panic::hcab3e0dfa81beee9
                               at /checkout/src/libcore/panicking.rs:49
  10:     0x5582034d53dd - <core::option::Option<T>>::unwrap::h28fe5b54c4f71513
                               at /checkout/src/libcore/macros.rs:21
  11:     0x5582034eee66 - snmp_parser::snmp::parse_snmp_v1_content::h07bca7b767d79d8a
                               at /home/neo/dev/work/snmp-parser/src/snmp.rs:170
  12:     0x5582034f53a7 - snmp_parser::snmp::parse_snmp_v1::h2b8998bc1a0b0691
                               at /home/neo/dev/work/snmp-parser/src/snmp.rs:199
  13:     0x558203494545 - rust_fuzzer_test_input
                               at /home/neo/dev/work/snmp-parser/fuzz/fuzzers/fuzzer_script_1.rs:7
  14:     0x55820349817a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  15:     0x55820349623f - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  16:     0x558203571f3b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==3194== ERROR: libFuzzer: deadly signal
    #0 0x55820363d999 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5582034a9571 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x5582034a94bb in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5582034c6cad in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7fe01ae0cfdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7fe01a86ea0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7fe01a870139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x558203571f48 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x558203571f48 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 4 ChangeBit-ChangeByte-ChangeByte-ChangeBinInt-; base unit: 4dab96f98875306d2eced8e7667193b55f41cfed
0x30,0x31,0x2,0x2,0x7e,0xfd,0x4,0x28,0x54,0x54,0x59,0x30,0x30,0x2,0x2,0xfe,0xfd,0xfd,0x28,0x45,0x54,0xab,0xab,0xab,0x2,0x2,0x2,0x30,0x2,0x58,0x58,0x58,0xff,0xff,0xff,0xff,0xff,0xff,0x58,0x58,0xff,0xff,0xff,0xff,0xff,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0xfd,0x54,0x4e,0xab,0xab,0xab,0xab,0xab,0xc6,0xc6,0xab,
01\x02\x02~\xfd\x04(TTY00\x02\x02\xfe\xfd\xfd(ET\xab\xab\xab\x02\x02\x020\x02XXX\xff\xff\xff\xff\xff\xffXX\xff\xff\xff\xff\xff\x01\x00\x00\x01\x00\x00\x00\x00\xfdTN\xab\xab\xab\xab\xab\xc6\xc6\xab
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-4cca20a9976d4cbaec98d501d0f3c6baecde9c6d
Base64: MDECAn79BChUVFkwMAIC/v39KEVUq6urAgICMAJYWFj///////9YWP//////AQAAAQAAAAD9VE6rq6urq8bGqw==

@chifflier chifflier self-assigned this Mar 24, 2017

@chifflier

This comment has been minimized.

Copy link
Member

commented Mar 24, 2017

Thanks for both bugreports (der-parser and snmp-parser), this is fixed and will be released soon.

@chifflier chifflier closed this in 81d0174 Mar 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.