Cap the input size to the conf fuzzer

Trying to fix all the places where these formats go quadratic isn't a
good use of time. We've already documented that they're not safe for use
with untrusted inputs. Even without such DoS issues, they cannot be
safely used anyway. (E.g. RUSTSEC-2023-0023.)

Just cap the fuzzer input. It'd be nice if we could avoid this more
systematically in the function, but they're not structured to make this
easy to do, and anyone concerned about DoS in this function has worse
problems.

Bug: chromium:1444420, oss-fuzz:56048, 611
Change-Id: I53eeb346f59278ec2db3aac4a92573b927ed8003
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59785
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/fuzz/conf.cc b/fuzz/conf.cc
index eed87f3..9b810e1 100644
--- a/fuzz/conf.cc
+++ b/fuzz/conf.cc
@@ -17,7 +17,14 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include <algorithm>
+
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+  // The string-based extensions APIs routinely produce output quadratic in
+  // their input. Cap the input size to mitigate this. See also
+  // https://crbug.com/boringssl/611.
+  len = std::min(len, size_t{8 * 1024});
+
   bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(buf, len));
   bssl::UniquePtr<CONF> conf(NCONF_new(nullptr));
   if (NCONF_load_bio(conf.get(), bio.get(), nullptr)) {