Ekaterina Zilotina created DIRSERVER-2407:
---------------------------------------------
Summary: Exceptions in AvlTreeMarshaller methods
Key: DIRSERVER-2407
URL: https://issues.apache.org/jira/browse/DIRSERVER-2407
Project: Directory ApacheDS
Issue Type: Bug
Components: avl
Affects Versions: 2.0.0.AM26
Reporter: Ekaterina Zilotina
Attachments:
ArrayIndexOutOfBoundsException_AvlTreeMarshaller-crash-16896274381ffe7838ad7dc5b02b35c6e43236e5,
ArrayIndexOutOfBoundsException_AvlTreeMarshaller-crash-f07dfaecf42d08b9a43f77ff0e7757d456e107d2,
DeserializeAvlTree.java.txt,
NegativeArraySizeException_AvlTreeMarshaller-crash-297f1f36076cf27427dfbbb57b52c120a53a1866,
NotEqualsTrees.txt,
NullPointerException_AvlTreeMarshaller-crash-1d904a2826cc48de5b377e155b1d4163f09d6bee,
OutOfMemoryError_AvlTreeMarshaller-crash-6f61ea77cfbd72c8e669d5e36054bd1d3e2b0e6c,
errorFile-1a59c9e7-90a3-46a4-8755-8909c93ce612, jazzer_output.txt
Class: AvlTreeMarshaller<>
Method: deserialize()
I performed fuzz testing of the deserialize() method of
AvlTreeMarshaller<Integer> object with normal ascending comparator. I wrote
test looking in AvlTreeMarshallerTest as example. In result of fuzzing tests
there are some unhandled exceptions:
1. ArrayIndexOutOfBoundsException in the readTree() method may be thrown by
instruction [in line
239|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L239]
, or by calling keyMarshaller.deserialize() method [in line
235;|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L235]
2. NullPointerException in the readTree() method may be thrown by instruction
[in line
130|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L130C23-L130C46]
keyMarshaller.serialize();
3. NegativeArraySizeException in method readTree() may be thrown by instruction
[in line
230;|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L230]
4. OutOfMemoryError when running with '-Xmx1620m' option [while create massive
with size value from input
data|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L188]
(look DEDUP_TOKEN: bac12c1dd0658676 in fuzzer_output.txt).
This may not pose a threat to apacheds, but there is no handling of it in this
area of code. Perhaps should you add another exception types (or base
Exception type) to the decode() function signature, or wrap the specified
methods in try/catch blocks?
Secondly, my tests compared the result of deserialization into an AVL-tree and
serialization into a set of bytes back with the input bytes. In some cases,
these sets of bytes did not match, but logically they should match (or no?) In
addition, some trees are read correctly and accurately displayed in the console
via printTree(), but they don't represent balanced trees (NotEqualsTrees.txt).
For this reason, how about to add some checks to deserialized tree before its
further use? I understand that it can break some logic of avltree in apacheds,
but maybe it can improve code.
crash samples, fuzz test, jazzer log, bytes input to mismatched result
(errorFile-1a59c9e7-90a3-46a4-8755-8909c93ce612) and it's representation
(NotEqualsTrees.txt) are below
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
