Reduce Max number of commands handled per fuzzer pass in quic-lcidm.

nhorman · t8m · commit 01c7958f2359 · 2025-10-04T10:28:50.000+02:00
We've gotten a few recent reports of a hang in the quic-lcidm fuzzer: https://issues.oss-fuzz.com/issues/448510502 It looks pretty straightforward (I think). The fuzzer input buffer is used in this particular case to randomly issue commands to the lcidm hash table (add/delete/query/flush/etc). The loop for the command processing (based on the input buffer), is limited to 10k commands. However the fuzzer will on occasion provide very large buffers (500k) which easily saturate that limit. If the input buffer happens to do something like get biased toward mostly additions, we wind up with a huge hashtable that has to constantly grow and rehash, which we've seen leads to timeouts in the past. Most direct fix I think here, given that this is something of an artificial failure in the fuzzer, is to simply clamp the command limit more. Fixes openssl/project#1664 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #28724)
diff --git a/fuzz/quic-lcidm.c b/fuzz/quic-lcidm.c
@@ -48,7 +48,7 @@ enum {
     CMD_LOOKUP
 };
 
-#define MAX_CMDS    10000
+#define MAX_CMDS    5000
 
 static int get_cid(PACKET *pkt, QUIC_CONN_ID *cid)
 {

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ enum {`
`48`	`48`	`CMD_LOOKUP`
`49`	`49`	`};`
`50`	`50`
`51`		`-#define MAX_CMDS 10000`
	`51`	`+#define MAX_CMDS 5000`
`52`	`52`
`53`	`53`	`static int get_cid(PACKET pkt, QUIC_CONN_ID cid)`
`54`	`54`	`{`