Merge pull request #10102 from ctiller/fuzzing-long Fix fuzzing detected error: stack overflow in hpack parser

commit: 7c050ea8c6c10750b58396468c8bec824dd5c53a [log] [tgz]
author: Craig Tiller <ctiller@google.com> Mon Mar 20 18:31:12 2017 -0700
committer: GitHub <noreply@github.com> Mon Mar 20 18:31:12 2017 -0700
tree: 88fa638476d174a297d8313419943c3be26f112b
parent: 496734412b765525a2afeaa88439d33b08e359c6 [diff]
parent: d9dd625f6080577abf31c4f8fe4f869ba0d6a233 [diff]
diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.c b/src/core/ext/transport/chttp2/transport/hpack_parser.c
index 40f5120..1865b99 100644
--- a/src/core/ext/transport/chttp2/transport/hpack_parser.c
+++ b/src/core/ext/transport/chttp2/transport/hpack_parser.c

@@ -1620,13 +1620,18 @@
 grpc_error *grpc_chttp2_hpack_parser_parse(grpc_exec_ctx *exec_ctx,
                                            grpc_chttp2_hpack_parser *p,
                                            grpc_slice slice) {
-  /* TODO(ctiller): limit the distance of end from beg, and perform multiple
-     steps in the event of a large chunk of data to limit
-     stack space usage when no tail call optimization is
-     available */
+/* max number of bytes to parse at a time... limits call stack depth on
+ * compilers without TCO */
+#define MAX_PARSE_LENGTH 1024
   p->current_slice_refcount = slice.refcount;
-  grpc_error *error = p->state(exec_ctx, p, GRPC_SLICE_START_PTR(slice),
-                               GRPC_SLICE_END_PTR(slice));
+  uint8_t *start = GRPC_SLICE_START_PTR(slice);
+  uint8_t *end = GRPC_SLICE_END_PTR(slice);
+  grpc_error *error = GRPC_ERROR_NONE;
+  while (start != end && error == GRPC_ERROR_NONE) {
+    uint8_t *target = start + GPR_MIN(MAX_PARSE_LENGTH, end - start);
+    error = p->state(exec_ctx, p, start, target);
+    start = target;
+  }
   p->current_slice_refcount = NULL;
   return error;
 }

diff --git a/test/core/transport/chttp2/hpack_parser_corpus/clusterfuzz-testcase-5298216461402112 b/test/core/transport/chttp2/hpack_parser_corpus/clusterfuzz-testcase-5298216461402112
new file mode 100644
index 0000000..04d48d6
--- /dev/null
+++ b/test/core/transport/chttp2/hpack_parser_corpus/clusterfuzz-testcase-5298216461402112
Binary files differ

diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json
index b81b98b..933a6f5 100644
--- a/tools/run_tests/generated/tests.json
+++ b/tools/run_tests/generated/tests.json

@@ -114169,6 +114169,28 @@
   }, 
   {
     "args": [
+      "test/core/transport/chttp2/hpack_parser_corpus/clusterfuzz-testcase-5298216461402112"
+    ], 
+    "ci_platforms": [
+      "linux"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [
+      "tsan"
+    ], 
+    "exclude_iomgrs": [
+      "uv"
+    ], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "hpack_parser_fuzzer_test_one_entry", 
+    "platforms": [
+      "linux"
+    ], 
+    "uses_polling": false
+  }, 
+  {
+    "args": [
       "test/core/transport/chttp2/hpack_parser_corpus/crash-5ac3e1ea7764cfb6383629574262f82dc7b3cada"
     ], 
     "ci_platforms": [
commit	7c050ea8c6c10750b58396468c8bec824dd5c53a	[log] [tgz]
author	Craig Tiller <ctiller@google.com>	Mon Mar 20 18:31:12 2017 -0700
committer	GitHub <noreply@github.com>	Mon Mar 20 18:31:12 2017 -0700
tree	88fa638476d174a297d8313419943c3be26f112b
parent	496734412b765525a2afeaa88439d33b08e359c6 [diff]
parent	d9dd625f6080577abf31c4f8fe4f869ba0d6a233 [diff]