Skip to content

Commit 1488f55

Browse files
author
MarcoFalke
committed
Merge bitcoin#22454: fuzz: Limit max ops in tx_pool fuzz targets
fa33ed4 fuzz: Limit max ops in tx_pool fuzz targets (MarcoFalke) Pull request description: Without a size limit on the input data, the runtime is unbounded. Fix this by picking an upper bound on the maximum number of fuzz operations. Reproducer from OSS-Fuzz (without bug report): [clusterfuzz-testcase-tx_pool_standard-5963992253202432.log](https://github.com/bitcoin/bitcoin/files/6822465/clusterfuzz-testcase-tx_pool_standard-5963992253202432.log) ACKs for top commit: practicalswift: cr ACK fa33ed4 Tree-SHA512: 32098d573880afba12d510ac83519dc886a6c65d5207edb810f92c7c61edf5e2fc9c57e7b7a1ae656c02ce14e3595707dd6b93caf7956beb2bc817609e14d23d
2 parents 2aa937e + fa33ed4 commit 1488f55

File tree

1 file changed

+10
-2
lines changed

1 file changed

+10
-2
lines changed

src/test/fuzz/tx_pool.cpp

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,10 @@ void MockTime(FuzzedDataProvider& fuzzed_data_provider, const CChainState& chain
112112

113113
FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
114114
{
115+
// Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
116+
// inputs.
117+
int limit_max_ops{300};
118+
115119
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
116120
const auto& node = g_setup->m_node;
117121
auto& chainstate = node.chainman->ActiveChainstate();
@@ -142,7 +146,7 @@ FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
142146
return c.out.nValue;
143147
};
144148

145-
while (fuzzed_data_provider.ConsumeBool()) {
149+
while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
146150
{
147151
// Total supply is the mempool fee + all outpoints
148152
CAmount supply_now{WITH_LOCK(tx_pool.cs, return tx_pool.GetTotalFee())};
@@ -285,6 +289,10 @@ FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
285289

286290
FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
287291
{
292+
// Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
293+
// inputs.
294+
int limit_max_ops{300};
295+
288296
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
289297
const auto& node = g_setup->m_node;
290298
auto& chainstate = node.chainman->ActiveChainstate();
@@ -305,7 +313,7 @@ FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
305313
CTxMemPool tx_pool_{/* estimator */ nullptr, /* check_ratio */ 1};
306314
MockedTxPool& tx_pool = *static_cast<MockedTxPool*>(&tx_pool_);
307315

308-
while (fuzzed_data_provider.ConsumeBool()) {
316+
while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
309317
const auto mut_tx = ConsumeTransaction(fuzzed_data_provider, txids);
310318

311319
if (fuzzed_data_provider.ConsumeBool()) {

0 commit comments

Comments
 (0)