Umbrella issue for fuzz tests in Zenoh

[evshary]

This is an umbrella issue for fuzz tests in Zenoh
We decided to use cargo-fuzz to test the Zenoh protocol, and we will list all the related PRs and the found vulnerabilities here.

To add the fuzz framework

• zenoh
  • parse / round-trip
    • transport_message: feat(codec): add Zenoh message fuzz target #2591
    • network_message: feat(codec): add Zenoh message fuzz target #2591
    • scouting_message: feat(codec): add Zenoh message fuzz target #2591
    • endpoint_from_str: feat(codec): add Zenoh message fuzz target #2591
  • arbitrary: structured messages: Fuzz: Use arbitrary for the network messages and refactor the framework #2627
  • (optional) proptest: check the protocol state machine (We need to find out some oracles or invariants to do this)
• zenoh-pico

  • run fuzz-test in zenoh-pico (Run with libFuzzer)

    • scouting_message: fuzz(codec): Add fuzz tests for scouting zenoh-pico#1235
    • endpoint_str: test(fuzz): add endpoint string fuzz target and CI build coverage zenoh-pico#1249
    • transport_message

  • Test with qemu (Run with AFL++)

CI

• local CI: ci(fuzz): add scheduled fuzz campaigns #2616
• Add the project to OSS-Fuzz: zenoh: initialize integration google/oss-fuzz#15544

Found issues

Zenoh

• The mismatch of encode and decode:
  • fix(buffers): allow empty write_exact calls #2593: Crash when encoding packet with cookie=0 in the Transport Message
    • We can decode the raw packet into the Transport Message with VLE value = 0
    • But we can’t encode the Transport Message with VLE value = 0 back to a raw packet
  • fix(protocol): preserve sender-mapped empty wire exprs #2599: The encode and decode mismatch in WireExprType while mapping = Sender
  • fix(codec): avoid extension count truncation on re-encode #2605: Need to use usize instead of u8 to count the number of extensions
  • fix(codec): reject noncanonical locator strings #2607: The encode and decode mismatch when the locators contain # in the hello message. In the PR, we don't accept any locator with #
• Unchecked length bug:
  • fix(buffers): reject oversized zslice reads #2594: Crash when the length of the cookie is huge, but the actual packet is small
    • We verify that the actual length of the packet should be larger than the length field. If not, return an error for the invalid format.
  • fix(codec): reject undersized query body values #2595: Crash when QueryBody (the extension in QUERY data messages) has a wrong length.
    • The format of QueryBody is ext_id, length, encoding, payload
    • The length should be larger than 0 while there is an encoding field.
    • If we have an invalid length, there is an internal error that crashes the library.
  • fix(codec): reject truncated bounded strings #2601: Crash when the declared length is larger than the actual input bytes in the bounded Vec<u8> / String decoder.
  • fix(codec): reject impossible scouting locator counts #2606: Crash when the length of the locator-list is larger than the actual locators in hello messages
• Endpoint parsing
  • fix(protocol): reject malformed endpoint parameter sections #2612: Reject the malformed format when transforming from str to endpoint.

zenoh-pico

• Bug in scouting messages handler
  • fix(codec): validate scouting message ZID lengths zenoh-pico#1228: When we have a large ZID length, which is larger than the actual buffer size, the library will read oversize and crash.
  • fix(codec): make locator decode cleanup safe zenoh-pico#1236: Release locator memory even if the decoding fails
  • fix(codec): bound HELLO locator count by remaining bytes zenoh-pico#1237: Add a simple bounds check before a big allocation of locators
  • fix(codec): reject malformed metadata without separators zenoh-pico#1238: Missing = will end in an infinite loop
  • fix(codec): bound locator metadata to the metadata section zenoh-pico#1239: Crash if # is before ? because of the wrong calculation on the offset
• Bug in endpoint_str
  • fix(config): avoid malformed locator metadata crashes zenoh-pico#1248: Read out of bounds and infinite loop while parsing tcp/127.0.0.1:7447?invalid