docs(reviews/2026-07-03): P4 fix — sweep status staleness + re-aim fuzz/README (#11)
Some checks failed
CI / fmt (push) Successful in 1m32s
CI / clippy (push) Successful in 1m31s
CI / test (1.85) (push) Successful in 3m57s
CI / deny (push) Has been cancelled
CI / test (stable) (push) Has been cancelled

Co-authored-by: Aaron D. Lee <himself@adlee.work>
Co-committed-by: Aaron D. Lee <himself@adlee.work>
This commit was merged in pull request #11.
This commit is contained in:
2026-07-04 01:44:27 +00:00
committed by A.D.Lee
parent 276dc5ac45
commit 0eb20b729a
4 changed files with 57 additions and 31 deletions

View File

@@ -1,21 +1,44 @@
# fuzz/ — cargo-fuzz harness directory (placeholder)
**Status:** placeholder. Not yet a cargo-fuzz project — just the directory.
Fuzz harnesses land at spearhead step 5 (PSTN trunk) alongside the
SIP/SDP/RTP wire parsers (PORT_PLAN §10 mandates continuous fuzzing of
every wire parser). Slice 1 has no hostile-bytes surface (the browser is
trusted), so no harnesses here yet — the `fuzz/` dir pre-paves the
layout. Populating this directory with a real `cargo-fuzz` project
(`fuzz/Cargo.toml` + `fuzz/fuzz_targets/*.rs`) happens at step 5.
If you're at step 5, replace this README with that structure:
ADR-0007 abolished the first-party SIP parser (the original reason this
directory was pre-paved), so the original `sip_parser` / `sdp_parser` fuzz
targets are gone from the plan. The hostile-byte surfaces that *do* exist
post-0007, and that the harnesses here will eventually target, are:
- **Tap protocol frames** (`crates/rutster-tap/src/protocol.rs`) — the WS
framing between the core and an external brain. This is hostility surface
#1 today: a brain is an untrusted process and its frames cross the FOB
boundary. Slice-2 ships this surface without a fuzzer; the harness should
land as soon as third-party brains exist (P6 of the 2026-07-03 adversarial
review — the protocol should also carry an auth field by then).
- **RTP packets at the str0m input** (slice-1's `rtc_session.rs` media
ingress) — every byte str0m hands us is potentially hostile before str0m
validates it; fuzz at the str0m-RtcSession boundary, not str0m internally.
- **Opus decoder inputs** (`crates/rutster-media` codec boundary) — a
malicious or malformed RTP payload hits the Opus decoder. Fuzz the
decoded-PCM contract (finite-length, sane amplitude range), not the
decoder internals.
- **Provider media-fork framing** (spearhead step 5, post-ADR-0007) — the
rented transport's media-fork delivers bytes that the CPaaS framed; that
framing is the post-0007 equivalent of the SIP/SDP parser surface. Lands
with step 5.
Slice 1 says "the browser is trusted" for the WebRTC ingress, which is
correct for the *signaling* surface (str0m validates SDP). But the media
plane accepts RTP from any peer that completed ICE, which makes the
RTP/Opus surfaces above hostile-by-default regardless of signaling trust.
If you're populating this directory, replace it with:
- `fuzz/Cargo.toml` — cargo-fuzz manifest.
- `fuzz/fuzz_targets/sip_parser.rs` — fuzz the SIP parser.
- `fuzz/fuzz_targets/sdp_parser.rs` — fuzz the SDP parser.
- `fuzz/fuzz_targets/rtp_packet.rs` — fuzz the RTP packet parser.
- CI job running a short fuzz burst on each PR (the cargo-fuzz integration
lands in `.github/workflows/` at that point).
- `fuzz/fuzz_targets/tap_protocol.rs` — fuzz the tap protocol frame decoder.
- `fuzz/fuzz_targets/rtp_packet.rs` — fuzz the str0m-RtcSession RTP input.
- `fuzz/fuzz_targets/opus_payload.rs` — fuzz the Opus→PCM decoder boundary.
- A CI job running a short fuzz burst on each PR.
The hot-path "drop + observe, don't crash" policy (spec §3.8) is what the
future harnesses assert against: throw arbitrary bytes at the parser,
assert it returns an error or drops silently — never panics.
The hot-path "drop + observe, don't crash" policy (ARCHITECTURE.md Media
plane; slice-4 spec §3.6) is what the harnesses assert against: throw
arbitrary bytes at the surface, assert it returns an error or drops
silently — never panics. A dropped packet must not terminate the peer.