[EXAMPLE] How to add a source3 fuzz target
douglas.bagnall at catalyst.net.nz
Wed Jan 15 04:02:51 UTC 2020
On 14/01/20 10:38 AM, Jeremy Allison wrote:
>> Needless to say, I have found no crashes with this particular patch,
>> and I suspect it is not actually a very good target. But perhaps it is
>> an excellent target and we just happen to have very good code!
> Thanks Douglas, this is a *really* helpful guide - much appreciated !
> nmblib_parse_packet is old code that has been kicked *very hard*
> over the years, so I'm hoping it's just good code now :-).
Yes, though you are too wise to venture beyond "hope".
The question of target scale and selection is actually quite tricky. If
you include a vast tree of possibilities the fuzzer gets lost, winding
through a million paths without ever meeting the interesting bits.
If your target is too narrow and simple and robust (like parse_packet,
we hope), the fuzzer is doomed to spend eternity beating itself against
a few dozen impregnable branches. And this eternity is not entirely
theoretical, thanks to Google's oss-fuzz. The resources used are not
just contributing to climate disaster, etc -- they are taking compute
time that would otherwise go to better fuzzers from Samba and other free
So if we *really* think a fuzz target is wasting its time, we should not
build it. I believe this one is above that threshold. Right now, in the
dark corner of a Google cloud data centre, oss-fuzz is thrashing the
daylights out of bin/fuzz_ndr_icoffeemachine. We might want to revisit that.
BTW, the patch in question is now a merge request:
More information about the samba-technical