Project

General

Profile

Actions
Copy link

Bug #5127

closed

Wrong assertion in AccessStrategy::findPrefixMeasurements

Added by Davide Pesavento over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Davide Pesavento
Category:
Forwarding
Target version:
22.02
Start date:
Due date:
% Done:

100%

Estimated time:
Tags:
fuzzing

Description

This assertion doesn't seem to be correct. If the code isn't prepared to handle a non-existing MtInfo (as the comment below that line says), it should have safe fallback but not crash. In fact, the calling code already handles the case mi == nullptr gracefully, so I'm not sure why the assert was added in the first place.

This bug was found by NFDFuzz, an experimental fuzzer for NFD and ndn-cxx.

Stack trace of the failed assertion:

fuzzer: ../daemon/fw/access-strategy.cpp:261: std::tuple<Name, AccessStrategy::MtInfo *> nfd::fw::AccessStrategy::findPrefixMeasurements(const pit::Entry &): Assertion `mi != nullptr' failed.
==5844== ERROR: libFuzzer: deadly signal
    #0 0x5dbbc1 in __sanitizer_print_stack_trace (/home/gtorresz/nfdfuzzer/NFD/build/daemon/fuzzer/fuzzer+0x5dbbc1)
    #1 0xe86e98 in fuzzer::PrintStackTrace() /home/gtorresz/nfdfuzzer/fuzzer/FuzzerUtil.cpp:210:5
    #2 0xe720ee in fuzzer::Fuzzer::CrashCallback() /home/gtorresz/nfdfuzzer/fuzzer/FuzzerLoop.cpp:233:3
    #3 0x7f6a2f1823bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
    #4 0x7f6a2ebe618a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #5 0x7f6a2ebc5858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #6 0x7f6a2ebc5728  (/lib/x86_64-linux-gnu/libc.so.6+0x25728)
    #7 0x7f6a2ebd6f35 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x36f35)
    #8 0x91dad2 in nfd::fw::AccessStrategy::findPrefixMeasurements(nfd::pit::Entry const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/access-strategy.cpp:261:3
    #9 0x91c6ca in nfd::fw::AccessStrategy::afterReceiveNewInterest(nfd::FaceEndpoint const&, ndn::Interest const&, std::shared_ptr<nfd::pit::Entry> const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/access-strategy.cpp:82:32
    #10 0x91c0b3 in nfd::fw::AccessStrategy::afterReceiveInterest(nfd::FaceEndpoint const&, ndn::Interest const&, std::shared_ptr<nfd::pit::Entry> const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/access-strategy.cpp:66:12
    #11 0x99d73b in nfd::Forwarder::onContentStoreMiss(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&)::$_5::operator()(nfd::fw::Strategy&) const /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/forwarder.cpp:217:16
    #12 0x991fd4 in void nfd::Forwarder::dispatchToStrategy<nfd::Forwarder::onContentStoreMiss(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&)::$_5>(nfd::pit::Entry&, nfd::Forwarder::onContentStoreMiss(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&)::$_5) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/forwarder.hpp:258:5
    #13 0x990bbe in nfd::Forwarder::onContentStoreMiss(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/forwarder.cpp:215:9
    #14 0x9b5d1b in void std::__invoke_impl<void, void (nfd::Forwarder::*&)(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&), nfd::Forwarder*&, nfd::FaceEndpoint&, std::shared_ptr<nfd::pit::Entry>&, ndn::Interest const&>(std::__invoke_memfun_deref, void (nfd::Forwarder::*&)(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&), nfd::Forwarder*&, nfd::FaceEndpoint&, std::shared_ptr<nfd::pit::Entry>&, ndn::Interest const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73:14
    #15 0x9b5a78 in std::__invoke_result<void (nfd::Forwarder::*&)(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&), nfd::Forwarder*&, nfd::FaceEndpoint&, std::shared_ptr<nfd::pit::Entry>&, ndn::Interest const&>::type std::__invoke<void (nfd::Forwarder::*&)(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&), nfd::Forwarder*&, nfd::FaceEndpoint&, std::shared_ptr<nfd::pit::Entry>&, ndn::Interest const&>(void (nfd::Forwarder::*&)(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&), nfd::Forwarder*&, nfd::FaceEndpoint&, std::shared_ptr<nfd::pit::Entry>&, ndn::Interest const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #16 0x9b5917 in void std::_Bind<void (nfd::Forwarder::* (nfd::Forwarder*, nfd::FaceEndpoint, std::shared_ptr<nfd::pit::Entry>, std::_Placeholder<1>))(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&)>::__call<void, ndn::Interest const&, 0ul, 1ul, 2ul, 3ul>(std::tuple<ndn::Interest const&>&&, std::_Index_tuple<0ul, 1ul, 2ul, 3ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:400:11
    #17 0x9b5443 in void std::_Bind<void (nfd::Forwarder::* (nfd::Forwarder*, nfd::FaceEndpoint, std::shared_ptr<nfd::pit::Entry>, std::_Placeholder<1>))(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&)>::operator()<ndn::Interest const&, void>(ndn::Interest const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:482:17
    #18 0x9a4afa in void nfd::cs::Cs::find<std::_Bind<void (nfd::Forwarder::* (nfd::Forwarder*, nfd::FaceEndpoint, std::shared_ptr<nfd::pit::Entry>, std::_Placeholder<1>, std::_Placeholder<2>))(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&, ndn::Data const&)>, std::_Bind<void (nfd::Forwarder::* (nfd::Forwarder*, nfd::FaceEndpoint, std::shared_ptr<nfd::pit::Entry>, std::_Placeholder<1>))(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&)> >(ndn::Interest const&, std::_Bind<void (nfd::Forwarder::* (nfd::Forwarder*, nfd::FaceEndpoint, std::shared_ptr<nfd::pit::Entry>, std::_Placeholder<1>, std::_Placeholder<2>))(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&, ndn::Data const&)>&&, std::_Bind<void (nfd::Forwarder::* (nfd::Forwarder*, nfd::FaceEndpoint, std::shared_ptr<nfd::pit::Entry>, std::_Placeholder<1>))(nfd::FaceEndpoint const&, std::shared_ptr<nfd::pit::Entry> const&, ndn::Interest const&)>&&) const /home/gtorresz/nfdfuzzer/NFD/build/../daemon/table/cs.hpp:85:7
    #19 0x98e962 in nfd::Forwarder::onIncomingInterest(nfd::FaceEndpoint const&, ndn::Interest const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/forwarder.cpp:152:10
    #20 0x9ac2f0 in nfd::Forwarder::startProcessInterest(nfd::FaceEndpoint const&, ndn::Interest const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/forwarder.hpp:87:11
    #21 0x99bac3 in nfd::Forwarder::Forwarder(nfd::FaceTable&)::$_2::operator()(nfd::face::Face const&) const::'lambda'(ndn::Interest const&, unsigned long const&)::operator()(ndn::Interest const&, unsigned long const&) const /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fw/forwarder.cpp:59:15
    #22 0x99b7c0 in std::_Function_handler<void (ndn::Interest const&, unsigned long const&), nfd::Forwarder::Forwarder(nfd::FaceTable&)::$_2::operator()(nfd::face::Face const&) const::'lambda'(ndn::Interest const&, unsigned long const&)>::_M_invoke(std::_Any_data const&, ndn::Interest const&, unsigned long const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:300:2
    #23 0x7896d3 in std::function<void (ndn::Interest const&, unsigned long const&)>::operator()(ndn::Interest const&, unsigned long const&) const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:688:14
    #24 0x786b2f in ndn::util::signal::Signal<nfd::face::LinkService, ndn::Interest, unsigned long>::operator()(ndn::Interest const&, unsigned long const&) /usr/local/include/ndn-cxx/util/signal/signal.hpp:232:7
    #25 0x782c81 in nfd::face::LinkService::receiveInterest(ndn::Interest const&, unsigned long const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/link-service.cpp:94:3
    #26 0x72c8d9 in nfd::face::GenericLinkService::decodeInterest(ndn::Block const&, ndn::lp::Packet const&, unsigned long const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/generic-link-service.cpp:411:9
    #27 0x7291d9 in nfd::face::GenericLinkService::decodeNetPacket(ndn::Block const&, ndn::lp::Packet const&, unsigned long const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/generic-link-service.cpp:340:17
    #28 0x72801b in nfd::face::GenericLinkService::doReceivePacket(ndn::Block const&, unsigned long const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/generic-link-service.cpp:320:13
    #29 0x8b4494 in nfd::face::LinkService::receivePacket(ndn::Block const&, unsigned long const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/link-service.hpp:240:3
    #30 0x8af66a in nfd::face::Transport::receive(ndn::Block const&, unsigned long const&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/transport.cpp:122:14
    #31 0xd3e781 in nfd::face::StreamTransport<boost::asio::local::stream_protocol>::handleReceive(boost::system::error_code const&, unsigned long) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/stream-transport.hpp:258:11
    #32 0xd3e0d8 in auto nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(auto&&...)::operator()<boost::system::error_code const&, unsigned long const&>(auto&&...) const /home/gtorresz/nfdfuzzer/NFD/build/../daemon/face/stream-transport.hpp:233:58
    #33 0xd3e068 in boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>::operator()() /usr/include/boost/asio/detail/bind_handler.hpp:164:5
    #34 0xd3e030 in void boost::asio::asio_handler_invoke<boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long> >(boost::asio::local::stream_protocol&, ...) /usr/include/boost/asio/handler_invoke_hook.hpp:69:3
    #35 0xd3e005 in void boost_asio_handler_invoke_helpers::invoke<boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>, nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...)>(boost::asio::local::stream_protocol&, boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>&) /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37:3
    #36 0xd3df90 in void boost::asio::detail::asio_handler_invoke<boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>, nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>(boost::asio::local::stream_protocol&, boost::asio::detail::binder2<boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>, nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code>*) /usr/include/boost/asio/detail/bind_handler.hpp:207:3
    #37 0xd3dca3 in void boost_asio_handler_invoke_helpers::invoke<boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>, boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long> >(boost::asio::local::stream_protocol&, boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>&) /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37:3
    #38 0xd3dc17 in void boost::asio::detail::io_object_executor<boost::asio::executor>::dispatch<boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>, std::allocator<void> >(boost::asio::local::stream_protocol&&, boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long> const&) const /usr/include/boost/asio/detail/io_object_executor.hpp:119:9
    #39 0xd3d996 in void boost::asio::detail::handler_work<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::asio::detail::io_object_executor<boost::asio::executor>, boost::asio::detail::io_object_executor<boost::asio::executor> >::complete<boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long> >(boost::asio::detail::binder2<nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::system::error_code, unsigned long>&, nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...)&) /usr/include/boost/asio/detail/handler_work.hpp:72:15
    #40 0xd3d1ed in boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1, nfd::face::StreamTransport<boost::asio::local::stream_protocol>::startReceive()::'lambda'(boost::asio::local::stream_protocol&&...), boost::asio::detail::io_object_executor<boost::asio::executor> >::do_complete(void*, boost::asio::detail::scheduler_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/reactive_socket_recv_op.hpp:123:9
    #41 0x62afc7 in boost::asio::detail::scheduler_operation::complete(void*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/scheduler_operation.hpp:40:5
    #42 0x664f1f in boost::asio::detail::epoll_reactor::descriptor_state::do_complete(void*, boost::asio::detail::scheduler_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/impl/epoll_reactor.ipp:776:11
    #43 0x62afc7 in boost::asio::detail::scheduler_operation::complete(void*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/scheduler_operation.hpp:40:5
    #44 0x62898e in boost::asio::detail::scheduler::do_run_one(boost::asio::detail::conditionally_enabled_mutex::scoped_lock&, boost::asio::detail::scheduler_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/scheduler.ipp:447:12
    #45 0x627d89 in boost::asio::detail::scheduler::run(boost::system::error_code&) /usr/include/boost/asio/detail/impl/scheduler.ipp:200:10
    #46 0x67470d in boost::asio::io_context::run() /usr/include/boost/asio/impl/io_context.ipp:63:24
    #47 0x65ec9d in nfd::NfdRunner::run(std::mutex&, std::condition_variable&, bool&) /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fuzzer/nfd_runner.hpp:201:15
    #48 0x65dfdc in SetUp::$_3::operator()() const /home/gtorresz/nfdfuzzer/NFD/build/../daemon/fuzzer/fuzzer.cpp:171:20
    #49 0x65de60 in int std::__invoke_impl<int, SetUp::$_3>(std::__invoke_other, SetUp::$_3&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:60:14
    #50 0x65dd90 in std::__invoke_result<SetUp::$_3>::type std::__invoke<SetUp::$_3>(SetUp::$_3&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #51 0x65dd48 in int std::thread::_Invoker<std::tuple<SetUp::$_3> >::_M_invoke<0ul>(std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:244:13
    #52 0x65dcf8 in std::thread::_Invoker<std::tuple<SetUp::$_3> >::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:251:11
    #53 0x65db0c in std::thread::_State_impl<std::thread::_Invoker<std::tuple<SetUp::$_3> > >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:195:13
    #54 0x7f6a2f006cb3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6cb3)
    #55 0x7f6a2f176608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
    #56 0x7f6a2ecc2102 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)
Actions
Copy link
 #1

Updated by Davide Pesavento over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Davide Pesavento over 3 years ago

  • Status changed from New to In Progress
  • Assignee set to Davide Pesavento
  • Target version set to 22.02
Actions
Copy link
 #3

Updated by Davide Pesavento over 3 years ago

  • Status changed from In Progress to Code review
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Davide Pesavento over 3 years ago

  • Status changed from Code review to Closed
Actions
Copy link

Also available in: Atom PDF