[
https://issues.apache.org/jira/browse/DIRSERVER-2407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17875844#comment-17875844
]
Emmanuel Lécharny commented on DIRSERVER-2407:
----------------------------------------------
* A negative len check has been added in the {{AvlTreeMarshaller.readTree()}}
method.
* The various {{keyMarshaller.deserialize( data )}} function has been completed
to throw a dedicated exception when the length is negative
> Exceptions in AvlTreeMarshaller methods
> ---------------------------------------
>
> Key: DIRSERVER-2407
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2407
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: avl
> Affects Versions: 2.0.0.AM26
> Reporter: Ekaterina Zilotina
> Priority: Major
> Attachments:
> ArrayIndexOutOfBoundsException_AvlTreeMarshaller-crash-16896274381ffe7838ad7dc5b02b35c6e43236e5,
>
> ArrayIndexOutOfBoundsException_AvlTreeMarshaller-crash-f07dfaecf42d08b9a43f77ff0e7757d456e107d2,
> DeserializeAvlTree.java.txt,
> NegativeArraySizeException_AvlTreeMarshaller-crash-297f1f36076cf27427dfbbb57b52c120a53a1866,
> NotEqualsTrees.txt,
> NullPointerException_AvlTreeMarshaller-crash-1d904a2826cc48de5b377e155b1d4163f09d6bee,
>
> OutOfMemoryError_AvlTreeMarshaller-crash-6f61ea77cfbd72c8e669d5e36054bd1d3e2b0e6c,
> errorFile-1a59c9e7-90a3-46a4-8755-8909c93ce612, jazzer_output.txt
>
>
> Class: AvlTreeMarshaller<>
> Method: deserialize()
> I performed fuzz testing of the deserialize() method of
> AvlTreeMarshaller<Integer> object with normal ascending comparator. I wrote
> test looking in AvlTreeMarshallerTest as example. In result of fuzzing tests
> there are some unhandled exceptions:
> 1. ArrayIndexOutOfBoundsException in the readTree() method may be thrown by
> instruction [in line
> 239|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L239]
> , or by calling keyMarshaller.deserialize() method [in line
> 235;|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L235]
> 2. NullPointerException in the readTree() method may be thrown by instruction
> [in line
> 130|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L130C23-L130C46]
> keyMarshaller.serialize();
> 3. NegativeArraySizeException in method readTree() may be thrown by
> instruction [in line
> 230;|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L230]
> 4. OutOfMemoryError when running with '-Xmx1620m' option [while create
> massive with size value from input
> data|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/core-avl/src/main/java/org/apache/directory/server/core/avltree/AvlTreeMarshaller.java#L188]
> (look DEDUP_TOKEN: bac12c1dd0658676 in fuzzer_output.txt).
> This may not pose a threat to apacheds, but there is no handling of it in
> this area of code. Perhaps should you add another exception types (or base
> Exception type) to the decode() function signature, or wrap the specified
> methods in try/catch blocks?
> Secondly, my tests compared the result of deserialization into an AVL-tree
> and serialization into a set of bytes back with the input bytes. In some
> cases, these sets of bytes did not match, but logically they should match (or
> no?) In addition, some trees are read correctly and accurately displayed in
> the console via printTree(), but they don't represent balanced trees
> (NotEqualsTrees.txt). For this reason, how about to add some checks to
> deserialized tree before its further use? I understand that it can break some
> logic of avltree in apacheds, but maybe it can improve code.
> crash samples, fuzz test, jazzer log, bytes input to mismatched result
> (errorFile-1a59c9e7-90a3-46a4-8755-8909c93ce612) and it's representation
> (NotEqualsTrees.txt) are below
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
