Skip to content
GitLab
Closed
Issue created by Sebastian Wilhelmi@wilhelmiReporter

fuzz_uri_parse failure

There is an ever so slight chance that this issue could be exploited for a remote DoS, so I file this as a confidential issue.

fuzzing/fuzz_uri_parse.c currently fails for certain large (>300KB) inputs, see e.g. https://oss-fuzz.com/testcase-detail/4691327330156544

Upon some investigation this is due to the fact that the remove_dot_segments function has quadratic complexity (after each replacement it will start at the beginning of the string again, see glib/guri.c:1343).

I see 3 possibilities to resolve this issue:

  • Ignore large inputs in fuzz_uri_parse.c. The fuzzing algorithm will realize this part of the fuzzing space is cut off and will not explore it further. This is the simplest solution to get rid of the fuzzing problem, but leaves the potential for large URLs to soak up time on people's machines in what could potentially be considered a remote DoS.
  • Return an error from all relevant functions if the URL is bigger than, say, 100kB. There is really no good reason for URLs to be this large. Famous last words.
  • Replace remove_dot_segments with a linear implementation. It's actually possible to do this also in-place. The output and input buffers in the linear pseudo code of https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4 can be the same, as the output buffer will never overwrite something in the input buffer, which is not read yet.

Let me know, what you think. I'm happy to do the legwork.