Co-authored-by: Aaron D. Lee <himself@adlee.work> Co-committed-by: Aaron D. Lee <himself@adlee.work>
45 lines
2.5 KiB
Markdown
45 lines
2.5 KiB
Markdown
# fuzz/ — cargo-fuzz harness directory (placeholder)
|
|
|
|
**Status:** placeholder. Not yet a cargo-fuzz project — just the directory.
|
|
|
|
ADR-0007 abolished the first-party SIP parser (the original reason this
|
|
directory was pre-paved), so the original `sip_parser` / `sdp_parser` fuzz
|
|
targets are gone from the plan. The hostile-byte surfaces that *do* exist
|
|
post-0007, and that the harnesses here will eventually target, are:
|
|
|
|
- **Tap protocol frames** (`crates/rutster-tap/src/protocol.rs`) — the WS
|
|
framing between the core and an external brain. This is hostility surface
|
|
#1 today: a brain is an untrusted process and its frames cross the FOB
|
|
boundary. Slice-2 ships this surface without a fuzzer; the harness should
|
|
land as soon as third-party brains exist (P6 of the 2026-07-03 adversarial
|
|
review — the protocol should also carry an auth field by then).
|
|
- **RTP packets at the str0m input** (slice-1's `rtc_session.rs` media
|
|
ingress) — every byte str0m hands us is potentially hostile before str0m
|
|
validates it; fuzz at the str0m-RtcSession boundary, not str0m internally.
|
|
- **Opus decoder inputs** (`crates/rutster-media` codec boundary) — a
|
|
malicious or malformed RTP payload hits the Opus decoder. Fuzz the
|
|
decoded-PCM contract (finite-length, sane amplitude range), not the
|
|
decoder internals.
|
|
- **Provider media-fork framing** (spearhead step 5, post-ADR-0007) — the
|
|
rented transport's media-fork delivers bytes that the CPaaS framed; that
|
|
framing is the post-0007 equivalent of the SIP/SDP parser surface. Lands
|
|
with step 5.
|
|
|
|
Slice 1 says "the browser is trusted" for the WebRTC ingress, which is
|
|
correct for the *signaling* surface (str0m validates SDP). But the media
|
|
plane accepts RTP from any peer that completed ICE, which makes the
|
|
RTP/Opus surfaces above hostile-by-default regardless of signaling trust.
|
|
|
|
If you're populating this directory, replace it with:
|
|
|
|
- `fuzz/Cargo.toml` — cargo-fuzz manifest.
|
|
- `fuzz/fuzz_targets/tap_protocol.rs` — fuzz the tap protocol frame decoder.
|
|
- `fuzz/fuzz_targets/rtp_packet.rs` — fuzz the str0m-RtcSession RTP input.
|
|
- `fuzz/fuzz_targets/opus_payload.rs` — fuzz the Opus→PCM decoder boundary.
|
|
- A CI job running a short fuzz burst on each PR.
|
|
|
|
The hot-path "drop + observe, don't crash" policy (ARCHITECTURE.md Media
|
|
plane; slice-4 spec §3.6) is what the harnesses assert against: throw
|
|
arbitrary bytes at the surface, assert it returns an error or drops
|
|
silently — never panics. A dropped packet must not terminate the peer.
|