Merge pull request zeromq#3905 from bluca/fuzzers

Problems: potential memory leak in test_connect_curve_fuzzer, SECURITY.md could use some updates
disguise-one · May 9, 2020 · 0244d80 · 0244d80
2 parents be77a8d + fb9d055
commit 0244d80
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 3 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -6,6 +6,7 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
+| 4.3.x   | :white_check_mark: |
 | 4.2.x   | :white_check_mark: |
 | 4.1.x   | :white_check_mark: |
 | 4.0.x   | :white_check_mark: |
@@ -21,6 +22,29 @@ please send a GPG encrypted email with the details to the maintainers:
 | Doron Somech | [email protected] | E0B0 E3D1 55DD 6ED6 71FB  2B79 D0B9 CC44 867D 8F3D |
 | Luca Boccassi | [email protected] | A9EA 9081 724F FAE0 484C 35A1 A81C EA22 BC8C 7E2E |
 
+## Internal severity classification
+
+We will attempt to follow this general policy when assigning a severity to
+security issues. These are guidelines more than rules, and as such end
+results might vary.
+
+
+| Severity | Definition |
+| -------- | ---------- |
+| CRITICAL | endpoints using STRONG authentication are SILENTLY affected |
+| HIGH | endpoints using STRONG authentication are VISIBLY affected |
+| MODERATE | endpoints NOT using STRONG authentication are SILENTLY affected |
+| LOW | endpoints NOT using STRONG authentication are VISIBLY affected |
+
+STRONG authentication means transports that use cryptography, for example CURVE
+and TLS.
+
+VISIBLY affected means that platform owners are likely to immediately notice
+misbehaviours, like crashes or loss of connectivity for legitimate peers.
+
+SILENTLY affected means that without close inspection, platform owners are
+unlikely to notice misbehaviours, like remote code executions or data exfiltration.
+
 ### Public keys
 <details>
 <summary>Doron Somech</summary>

diff --git a/tests/test_bind_curve_fuzzer.cpp b/tests/test_bind_curve_fuzzer.cpp
@@ -71,14 +71,14 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
         send (client, (void *) data, 202, MSG_NOSIGNAL);
         data += 202;
         size -= 202;
-        recv (client, buf, 170, 0);
+        recv (client, buf, 170, MSG_DONTWAIT);
     }
     // Then send READY and expect INITIATE if there's enough data
     if (size >= 301) {
         send (client, (void *) data, 301, MSG_NOSIGNAL);
         data += 301;
         size -= 301;
-        recv (client, buf, 512, 0);
+        recv (client, buf, 512, MSG_DONTWAIT);
     }
     msleep (250);
     for (ssize_t sent = 0; size > 0 && (sent != -1 || errno == EINTR);

diff --git a/tests/test_connect_curve_fuzzer.cpp b/tests/test_connect_curve_fuzzer.cpp
@@ -91,8 +91,10 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 
     zmq_msg_t msg;
     zmq_msg_init (&msg);
-    while (-1 != zmq_msg_recv (&msg, client, ZMQ_DONTWAIT))
+    while (-1 != zmq_msg_recv (&msg, client, ZMQ_DONTWAIT)) {
         zmq_msg_close (&msg);
+        zmq_msg_init (&msg);
+    }
 
     close (server_accept);
     close (server);