Skip to content

Crash in recvfuzz.exe #4084

New issue
New issue
Open
Bug
Open
Crash in recvfuzz.exe#4084
Bug
Labels
Bug: Test/ToolCode bug in the test or tool specific code.externalProposed by non-MSFT
Milestone
 
Future
@gvanem

Description

@gvanem
gvanem
opened on Jan 26, 2024

Describe the bug

I just did a git pull and a fresh build of MsQuic on Win-10 using MSVC's cl ver. 19.39.33428 for x64.

Running bin\Release\recvfuzz.exe, prints:

Using seed value: 1968512925
Remote address: 127.0.0.1:9999
Failed to create sec config!

Then WinDbg kicks in; some modules and the offending instruction:

...
ModLoad: 00007ffe`b5030000 00007ffe`b50c8000   C:\Windows\system32\schannel.DLL
ModLoad: 00007ffe`97280000 00007ffe`97295000   C:\Windows\SYSTEM32\mskeyprotect.dll
(4494.27e0): Access violation - code c0000005 (!!! second chance !!!)

recvfuzz!CxPlatTlsInitialize+0x3d:
00007ff7`008aab6d 8b4810          mov     ecx,dword ptr [rax+10h] ds:00000000`00000010=????????

Call-stack:

recvfuzz!CxPlatTlsInitialize(struct CXPLAT_TLS_CONFIG * Config = 0x000000c6`bdafcd60, struct CXPLAT_TLS_PROCESS_STATE * State = 0x000000c6`bdafdf30, struct CXPLAT_TLS ** NewTlsContext = 0x000000c6`bdafdf20)+0x3d
recvfuzz!TlsContext::TlsContext(void)+0x213
recvfuzz!WriteInitialCryptoFrame(unsigned short * Offset = 0x000000c6`bdafe158, unsigned short BufferLength = 0x1000, unsigned char * Buffer = 0x000000c6`bdafe270 "H???")+0x30
recvfuzz!WriteClientInitialPacket(unsigned int PacketNumber = 0x34c, unsigned char CidLength = 0x08 '', unsigned short BufferLength = 0, unsigned char * Buffer = 0x000000c6`bdaff360 "", unsigned short * PacketLength = 0x000000c6`bdaff2f4, unsigned short * HeaderLength = 0x000000c6`bdaff2f0)+0x9c
recvfuzz!buildInitialPacket(struct CXPLAT_SOCKET * Binding = 0x0000028c`ccf84890, struct CXPLAT_ROUTE * Route = 0x000000c6`bdaff5f0, int64 * PacketCount = 0x000000c6`bdaff658, int64 * TotalByteCount = 0x000000c6`bdaff660, bool fuzzing = true)+0x16b
recvfuzz!fuzz(struct CXPLAT_SOCKET * Binding = 0x0000028c`ccf84890, struct CXPLAT_ROUTE * Route = 0x000000c6`bdaff6d0)+0x18a
recvfuzz!start(void)+0x547
recvfuzz!main(int argc = 0n1, char ** argv = 0x0000028c`cae7f858)+0x124
recvfuzz!invoke_main(void)+0x22
recvfuzz!__scrt_common_main_seh(void)+0x10c
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Root-cause; since in src/platform/tls_schannel.c (line 1542):

 if (Config->IsServer != !(Config->SecConfig->Flags & QUIC_CREDENTIAL_FLAG_CLIENT)) {
   //                              ^__ this is NULL!!
   ...
  }

Where/how should the Config->SecConfig value be set?

Affected OS

  • Windows
  • Linux
  • macOS
  • Other (specify below)

Additional OS information

Win 10. Build 19045, version 22H2 (OS-build 19045.3996).

MsQuic version

main

Steps taken to reproduce bug

Run recvfuzz.exe with no parameters. Seems it doesn't matter.

Expected behavior

Not crash. Duh!

Actual outcome

See above.

Additional details

Not really.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug: Test/ToolCode bug in the test or tool specific code.externalProposed by non-MSFT

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions