Files
rutster/fuzz/README.md
Aaron D. Lee 0eb20b729a
Some checks failed
CI / fmt (push) Successful in 1m32s
CI / clippy (push) Successful in 1m31s
CI / test (1.85) (push) Successful in 3m57s
CI / deny (push) Has been cancelled
CI / test (stable) (push) Has been cancelled
docs(reviews/2026-07-03): P4 fix — sweep status staleness + re-aim fuzz/README (#11)
Co-authored-by: Aaron D. Lee <himself@adlee.work>
Co-committed-by: Aaron D. Lee <himself@adlee.work>
2026-07-04 01:44:27 +00:00

45 lines
2.5 KiB
Markdown

# fuzz/ — cargo-fuzz harness directory (placeholder)
**Status:** placeholder. Not yet a cargo-fuzz project — just the directory.
ADR-0007 abolished the first-party SIP parser (the original reason this
directory was pre-paved), so the original `sip_parser` / `sdp_parser` fuzz
targets are gone from the plan. The hostile-byte surfaces that *do* exist
post-0007, and that the harnesses here will eventually target, are:
- **Tap protocol frames** (`crates/rutster-tap/src/protocol.rs`) — the WS
framing between the core and an external brain. This is hostility surface
#1 today: a brain is an untrusted process and its frames cross the FOB
boundary. Slice-2 ships this surface without a fuzzer; the harness should
land as soon as third-party brains exist (P6 of the 2026-07-03 adversarial
review — the protocol should also carry an auth field by then).
- **RTP packets at the str0m input** (slice-1's `rtc_session.rs` media
ingress) — every byte str0m hands us is potentially hostile before str0m
validates it; fuzz at the str0m-RtcSession boundary, not str0m internally.
- **Opus decoder inputs** (`crates/rutster-media` codec boundary) — a
malicious or malformed RTP payload hits the Opus decoder. Fuzz the
decoded-PCM contract (finite-length, sane amplitude range), not the
decoder internals.
- **Provider media-fork framing** (spearhead step 5, post-ADR-0007) — the
rented transport's media-fork delivers bytes that the CPaaS framed; that
framing is the post-0007 equivalent of the SIP/SDP parser surface. Lands
with step 5.
Slice 1 says "the browser is trusted" for the WebRTC ingress, which is
correct for the *signaling* surface (str0m validates SDP). But the media
plane accepts RTP from any peer that completed ICE, which makes the
RTP/Opus surfaces above hostile-by-default regardless of signaling trust.
If you're populating this directory, replace it with:
- `fuzz/Cargo.toml` — cargo-fuzz manifest.
- `fuzz/fuzz_targets/tap_protocol.rs` — fuzz the tap protocol frame decoder.
- `fuzz/fuzz_targets/rtp_packet.rs` — fuzz the str0m-RtcSession RTP input.
- `fuzz/fuzz_targets/opus_payload.rs` — fuzz the Opus→PCM decoder boundary.
- A CI job running a short fuzz burst on each PR.
The hot-path "drop + observe, don't crash" policy (ARCHITECTURE.md Media
plane; slice-4 spec §3.6) is what the harnesses assert against: throw
arbitrary bytes at the surface, assert it returns an error or drops
silently — never panics. A dropped packet must not terminate the peer.