docs(reviews/2026-07-03): P4 fix — sweep status staleness + re-aim fuzz/README (#11)
Co-authored-by: Aaron D. Lee <himself@adlee.work> Co-committed-by: Aaron D. Lee <himself@adlee.work>
This commit was merged in pull request #11.
This commit is contained in:
@@ -1,21 +1,44 @@
|
||||
# fuzz/ — cargo-fuzz harness directory (placeholder)
|
||||
|
||||
**Status:** placeholder. Not yet a cargo-fuzz project — just the directory.
|
||||
Fuzz harnesses land at spearhead step 5 (PSTN trunk) alongside the
|
||||
SIP/SDP/RTP wire parsers (PORT_PLAN §10 mandates continuous fuzzing of
|
||||
every wire parser). Slice 1 has no hostile-bytes surface (the browser is
|
||||
trusted), so no harnesses here yet — the `fuzz/` dir pre-paves the
|
||||
layout. Populating this directory with a real `cargo-fuzz` project
|
||||
(`fuzz/Cargo.toml` + `fuzz/fuzz_targets/*.rs`) happens at step 5.
|
||||
|
||||
If you're at step 5, replace this README with that structure:
|
||||
ADR-0007 abolished the first-party SIP parser (the original reason this
|
||||
directory was pre-paved), so the original `sip_parser` / `sdp_parser` fuzz
|
||||
targets are gone from the plan. The hostile-byte surfaces that *do* exist
|
||||
post-0007, and that the harnesses here will eventually target, are:
|
||||
|
||||
- **Tap protocol frames** (`crates/rutster-tap/src/protocol.rs`) — the WS
|
||||
framing between the core and an external brain. This is hostility surface
|
||||
#1 today: a brain is an untrusted process and its frames cross the FOB
|
||||
boundary. Slice-2 ships this surface without a fuzzer; the harness should
|
||||
land as soon as third-party brains exist (P6 of the 2026-07-03 adversarial
|
||||
review — the protocol should also carry an auth field by then).
|
||||
- **RTP packets at the str0m input** (slice-1's `rtc_session.rs` media
|
||||
ingress) — every byte str0m hands us is potentially hostile before str0m
|
||||
validates it; fuzz at the str0m-RtcSession boundary, not str0m internally.
|
||||
- **Opus decoder inputs** (`crates/rutster-media` codec boundary) — a
|
||||
malicious or malformed RTP payload hits the Opus decoder. Fuzz the
|
||||
decoded-PCM contract (finite-length, sane amplitude range), not the
|
||||
decoder internals.
|
||||
- **Provider media-fork framing** (spearhead step 5, post-ADR-0007) — the
|
||||
rented transport's media-fork delivers bytes that the CPaaS framed; that
|
||||
framing is the post-0007 equivalent of the SIP/SDP parser surface. Lands
|
||||
with step 5.
|
||||
|
||||
Slice 1 says "the browser is trusted" for the WebRTC ingress, which is
|
||||
correct for the *signaling* surface (str0m validates SDP). But the media
|
||||
plane accepts RTP from any peer that completed ICE, which makes the
|
||||
RTP/Opus surfaces above hostile-by-default regardless of signaling trust.
|
||||
|
||||
If you're populating this directory, replace it with:
|
||||
|
||||
- `fuzz/Cargo.toml` — cargo-fuzz manifest.
|
||||
- `fuzz/fuzz_targets/sip_parser.rs` — fuzz the SIP parser.
|
||||
- `fuzz/fuzz_targets/sdp_parser.rs` — fuzz the SDP parser.
|
||||
- `fuzz/fuzz_targets/rtp_packet.rs` — fuzz the RTP packet parser.
|
||||
- CI job running a short fuzz burst on each PR (the cargo-fuzz integration
|
||||
lands in `.github/workflows/` at that point).
|
||||
- `fuzz/fuzz_targets/tap_protocol.rs` — fuzz the tap protocol frame decoder.
|
||||
- `fuzz/fuzz_targets/rtp_packet.rs` — fuzz the str0m-RtcSession RTP input.
|
||||
- `fuzz/fuzz_targets/opus_payload.rs` — fuzz the Opus→PCM decoder boundary.
|
||||
- A CI job running a short fuzz burst on each PR.
|
||||
|
||||
The hot-path "drop + observe, don't crash" policy (spec §3.8) is what the
|
||||
future harnesses assert against: throw arbitrary bytes at the parser,
|
||||
assert it returns an error or drops silently — never panics.
|
||||
The hot-path "drop + observe, don't crash" policy (ARCHITECTURE.md Media
|
||||
plane; slice-4 spec §3.6) is what the harnesses assert against: throw
|
||||
arbitrary bytes at the surface, assert it returns an error or drops
|
||||
silently — never panics. A dropped packet must not terminate the peer.
|
||||
|
||||
Reference in New Issue
Block a user