-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Frame::parse() input type is confusing #41
Comments
It is not that simple. The input comes from a network buffer that has to receive proper feedback. Please take a look at Looks like the proper input type for it is Probably the |
FWIW I'm happily using Frame::parse() for fuzzing the frame parser right now. https://github.com/Shnatsel/tungstenite-afl I've found no crashes or even debug mode panics, but it did autogenerate 15 frames that cover just about every possible path it can take. They're committed to the repo, you might want to use them as unit tests or some such. I'll see if I can use cargo-fuzz instead, it might or might not fail because of linked C dependencies. If it works, I'll probably open a pull request with several different fuzzing targets. For one, equivalence fuzzing for masking would be interesting - both to verify that naive and optimized implementation return the same result, and that the unsafe code doesn't do horribly wrong things to memory. |
After reading the implementation of At no point this function extends the underlying input vector. So at the very least it should not be using I see you went with You could also omit
The problem with exposing types from other crates API of which has not been stabilized ( In other news, cargo-fuzz works with tungstenite just fine, so I'll probably |
FWIW I agree with this - I think tungstenite should expose public API is there is actual demand for it, the default approach should be to keep the API minimal. @Shnatsel Very nice work with the fuzzing. I think it'd be even more interesting to fuzz at a higher level than the |
Address, memory, leak and thread sanitizers all work. Undefined behavior sanitizer does not, it seems to be too closely coupled with C/C++. See https://github.com/japaric/rust-san I have left this target to fuzz overnight with address sanitizer just in case, it found no issues. Fuzzing mask.rs under sanitizers could be interesting, I'll see if I can get a harness for that going. Do you have any specific functions to fuzz in mind? The fuzzing targets are fairly trivial, all they do is accept |
Assuming Rust is good on its guarantees, the first thing to concentrate on is unsafe code. In tungstenite I believe there 2 places with unsafe (ignoring 3rd party libraries): in For the masking code, I think the 3 main things to vary during fuzzing are:
and the result should be compared to what Afterwards, should concentrate on panics. Integer overflows, out-of-bounds access, etc. For this I would fuzz Note: I personally only use the |
I've fuzzed This is literally the first crate I ever see that didn't turn up at least panics when fuzzed for the first time. Kudos to the authors! I will contribute the fuzzing harness and the generated inputs to tungstenite repository shortly. |
Frame::parse()
accepts the input to be parsed as the following type:&mut Cursor<Vec<u8>>
First, the use of vector instead of slice is confusing. A slice should be sufficient since the function is not expected to append anything to the input. Unless it has an undocumented side effect, this should be a slice. The use of vector actually creates a superfluous copy in something I'm currently writing.
Second, the use of
&mut Cursor
is not obvious to me. If the Cursor is there to mark some bytes as already processed, then the function should just accept&mut [u8]
and reduce the length of the input slice, likewrite!
macro from the standard library does.The text was updated successfully, but these errors were encountered: