top | item 33441863

(no title)

kdbg | 3 years ago

It is, it'll build a few fuzzers hitting different areas[0]. The important function in many of those `.c` files is `FuzzerTestOneInput` which is effectively the entrypoint for a single fuzz test.

Taking a look at x509.c[1] which I believe is the most likely to be able to reach the punnycode parser. (I am not at all familiar with the codebase). You can see that the OpenSSL fuzzer is basically doing a holistic fuzz (I assume the i2d* and d2i* functions exercise the parser), that is its just invoking key entrypoints that in theory can exercise all the rest of the functionality with the correct inputs.

Hanno's fuzzer on the other hand, is explicitly only testing the `ossl_punnycode_decode` function[3].

Given the breadth of the fuzzer, I think its very possible OSS-Fuzz just didn't hit it.

[0] https://github.com/openssl/openssl/blob/master/fuzz/

[1] https://github.com/openssl/openssl/blob/master/fuzz/x509.c

[2] https://twitter.com/hanno/status/1587775675397726209/photo/2

discuss

kramerger|3 years ago

Given how much horse power and experience they have, this is very disappointing.

kelnos|3 years ago

"They" who? Even since Heartbleed, the OpenSSL project is still woefully underfunded given its importance to... well, everything on the internet.