Bound the number of API calls in ssl_ctx_api.cc.

By spamming just two bytes, this fuzzer can bounce between SSL_CTX_use_certificate and SSL_CTX_get0_certificate, which continually runs d2i_X509 on some certificate. Doing that nearly 400,000 times is not particularly useful. Bound the number of API calls. Start with 10,000 and see if the fuzzers are still unhappy. Bug: oss-fuzz:17748 Change-Id: I074fa08475fffcb86c02e64dcb9c5c7c69bcda71 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/37765 Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>
ClickHouse · Sep 27, 2019 · 63e96f2 · 63e96f2
1 parent 3a35522
commit 63e96f2
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/fuzz/ssl_ctx_api.cc b/fuzz/ssl_ctx_api.cc
@@ -253,6 +253,7 @@ static bool GetVector(std::vector<T> *out, CBS *cbs) {
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
   constexpr size_t kMaxExpensiveAPIs = 100;
+  constexpr size_t kMaxAPIs = 10000;
   unsigned expensive_api_count = 0;
 
   const std::function<void(SSL_CTX *, CBS *)> kAPIs[] = {
@@ -501,7 +502,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
   CBS cbs;
   CBS_init(&cbs, buf, len);
 
-  for (;;) {
+  for (unsigned i = 0; i < kMaxAPIs; i++) {
     uint8_t index;
     if (!CBS_get_u8(&cbs, &index)) {
       break;