fix msan-problems in fuzzer-environment

[linderd]

make msan in libfuzzer-pipeline happy

[tobhe]

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

[linderd]

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

for the use of md:
https://github.com/linderd/openiked-portable/actions/runs/6751828266/job/18356444600
for the use of spi32:
https://github.com/linderd/openiked-portable/actions/runs/7082747582/job/19273996029
for spi64 I thought it would also make sense, it looks like the same logic. At first I thought of a bug in the fuzzing harness, but also tried to simply initialize the vars and that worked. But yes, the spi thing looks strange..

[tobhe]

Thanks, that explains what's happening!

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

for the use of md: https://github.com/linderd/openiked-portable/actions/runs/6751828266/job/18356444600

So this can't happen normally. ikev2_nat_detection() either returns -1 or initializes md. Since we check for ret == -1 we are good. The parser-libfuzzer test on the other hand has a bug because it defines ikev2_nat_detection() as return 0 and doesn't initialize md, so there is the actual problem. Maybe it should bzero(md, len)?

for the use of spi32: https://github.com/linderd/openiked-portable/actions/runs/7082747582/job/19273996029 for spi64 I thought it would also make sense, it looks like the same logic. At first I thought of a bug in the fuzzing harness, but also tried to simply initialize the vars and that worked. But yes, the spi thing looks strange..

I don't yet fully understand this one. The only possible explanation I can think of is that the memcpy() doesn't copy the necessary amount of bytes to spi32 which gets assigned to rekey->spi and then a second notify of the same type triggers the bug in line 1165 when accessing rekey->spi. But there are length checks that should make sure left is the correct size and buf should not be NULL.

[linderd]

Thanks, that explains what's happening!

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

for the use of md: https://github.com/linderd/openiked-portable/actions/runs/6751828266/job/18356444600

So this can't happen normally. ikev2_nat_detection() either returns -1 or initializes md. Since we check for ret == -1 we are good. The parser-libfuzzer test on the other hand has a bug because it defines ikev2_nat_detection() as return 0 and doesn't initialize md, so there is the actual problem. Maybe it should bzero(md, len)?

makes sense, I fixed that

[linderd]

I wanted to refactor the prepare-steps in test_parser_fuzz.c anyway, so maybe I can find the problem with spi by doing that

[linderd]

I don't yet fully understand this one. The only possible explanation I can think of is that the memcpy() doesn't copy the necessary amount of bytes to spi32 which gets assigned to rekey->spi and then a second notify of the same type triggers the bug in line 1165 when accessing rekey->spi. But there are length checks that should make sure left is the correct size and buf should not be NULL.

It is confusing.., I'll try to investigate further on it, maybe I find something. But yes, normally both is checked so it can't happen.

[linderd]

problem found: msan doesn't work well with the used optimization level (O2). With O0 the spi-problem is not reproducible. I'll try to fix that with cmake.

[tobhe]

Looks good now, thanks!