fuzzing: fix harness bugs

There are multiple false positive bugs in harness due to improper use of the internal API. Link: Null-dereference 69741 <https://oss-fuzz.com/testcase-detail/4581551606661120> Link: Null-dereference 69745 <https://oss-fuzz.com/testcase-detail/5276662569172992> Link: Null-dereference 69754 <https://oss-fuzz.com/testcase-detail/4805770206576640> Fixes: a93d878 ("fuzzing: add fuzzing targets")
nginx · Jul 10, 2024 · d9b1ba2 · d9b1ba2
1 parent 91a4bfd
commit d9b1ba2
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/fuzzing/nxt_http_controller_fuzz.c b/fuzzing/nxt_http_controller_fuzz.c
@@ -76,6 +76,14 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
         goto failed;
     }
 
+    r_controller->conn = nxt_mp_zget(mp, sizeof(nxt_conn_t));
+    if (r_controller->conn == NULL) {
+        goto failed;
+    }
+
+    nxt_main_log.level = NXT_LOG_ALERT;
+    r_controller->conn->log = nxt_main_log;
+
     nxt_http_fields_process(rp.fields, &nxt_controller_fields_hash,
                             r_controller);
 

diff --git a/fuzzing/nxt_http_h1p_fuzz.c b/fuzzing/nxt_http_h1p_fuzz.c
@@ -75,6 +75,8 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
         goto failed;
     }
 
+    r_h1p->mem_pool = mp;
+
     nxt_http_fields_process(rp.fields, &nxt_h1p_fields_hash, r_h1p);
 
 failed:

diff --git a/fuzzing/nxt_json_fuzz.c b/fuzzing/nxt_json_fuzz.c
@@ -4,7 +4,7 @@
 
 #include <nxt_main.h>
 #include <nxt_conf.h>
-
+#include <nxt_router.h>
 
 #define KMININPUTLENGTH 2
 #define KMAXINPUTLENGTH 1024
@@ -33,18 +33,30 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
     nxt_mp_t               *mp;
     nxt_str_t              input;
+    nxt_thread_t           *thr;
+    nxt_runtime_t          *rt;
     nxt_conf_value_t       *conf;
     nxt_conf_validation_t  vldt;
 
     if (size < KMININPUTLENGTH || size > KMAXINPUTLENGTH) {
         return 0;
     }
 
+    thr = nxt_thread();
+
     mp = nxt_mp_create(1024, 128, 256, 32);
     if (mp == NULL) {
         return 0;
     }
 
+    rt = nxt_mp_zget(mp, sizeof(nxt_runtime_t));
+    if (rt == NULL) {
+        goto failed;
+    }
+
+    thr->runtime = rt;
+    rt->mem_pool = mp;
+
     input.start = (u_char *)data;
     input.length = size;
 
@@ -64,6 +76,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     vldt.conf_pool = mp;
     vldt.ver = NXT_VERNUM;
 
+    rt->languages = nxt_array_create(mp, 1, sizeof(nxt_app_lang_module_t));
+    if (rt->languages == NULL) {
+        goto failed;
+    }
+
     nxt_conf_validate(&vldt);
 
     nxt_mp_destroy(vldt.pool);
-Original file line number
+Diff line change
@@ Expand Up / @@ -75,6 +75,8 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) @@
             goto failed;
         }
+        r_h1p->mem_pool = mp;
         nxt_http_fields_process(rp.fields, &nxt_h1p_fields_hash, r_h1p);
     failed:
@@ Expand Down @@