Fix bugs discovered by Envoy's fuzzers on bugs.chromium.org

[htuch]

Our fuzzers run continuously on ClusterFuzz and bugs are embargoed for 90 days. We have a significant backlog and we've allowed some of the non-critical fuzz bugs (functional vs. security related) to age out past the embargo. These can be seen at:

https://bugs.chromium.org/p/oss-fuzz/issues/list?can=2&q=envoy

This GH issue is intended to remain open for anyone interested in tackling an issue here. Most of these are great starter bugs, usually requiring a small PR to fix configuration validation or the integration test framework.

[sterchelen]

Hi,

As a beginner, I can handle the 9960 issue: "Stack-overflow in google::protobuf::TextFormat::Parser::ParserImpl::SkipFieldValue"

[htuch]

Thanks @sterchelen, PRs welcome, please tag me on the PR.

[sterchelen]

Hi @htuch
I've downloaded the test case for this fuzz issue ==> here

It seems very strange regarding its format, some double quotes are not closed and strange fields name are created. Is that a normal behavior ?

[htuch]

@sterchelen the text protos are generated by https://github.com/google/libprotobuf-mutator, so should be validly formed. That said, this particular bug is a tricky one, as it probably depends on protobuf library internals and might be a corner case where we would not be able to solve Envoy-side. Do you want to try some other bug, e.g. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10130&q=envoy&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary?

[sterchelen]

All right @htuch ,
Yep, I will take it, the 10130 issue.

[sterchelen]

@htuch , I'm wondering how you debug envoy from the fuzzers side ? Do you have any documentation about that (debugging in general may be) ?

[htuch]

If you have a corpus entry, you can put this in the corpus directory for the fuzz test and debug using the same techniques as normal Envoy gtest, e.g. https://github.com/envoyproxy/envoy/tree/master/bazel#testing-envoy-with-bazel (and the sections below on gdb, stack traces, etc.). For oss-fuzz Chromium bugs, you should always have this corpus entry, so that's pretty much all. For debugging the build and fuzzers in the Docker environment, the oss-fuzz GH has more info, but I don't think you need that.

[sterchelen]

@htuch Thank you. I resolved to use gdb with envoy !
I got one question regarding the 10130 issue. I'm wondering if we have a limitation on header size. In fact, when we exceed 65536 bytes the test fail ! I saw that we are using nghttp2 but can't find any limit on header size.
Any idea ?

[htuch]

@sterchelen yep, see #4525 for config limits and

envoy/source/common/http/conn_manager_impl.cc

Line 613 in 491e641

// Check for maximum incoming header size. Both codecs have some amount of checking for maximum

for the runtime limit.