[fuzzing] Fix fuzzer found bugs in client promise call (grpc#34724)

umegaya · Oct 19, 2023 · 3f7d651 · 3f7d651
1 parent eccbc97
commit 3f7d651
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 0 deletions.
diff --git a/src/core/lib/surface/call.cc b/src/core/lib/surface/call.cc
@@ -2837,6 +2837,7 @@ class ClientPromiseBasedCall final : public PromiseBasedCall {
   Pipe<MessageHandle> server_to_client_messages_{arena()};
   bool is_trailers_only_ = false;
   bool scheduled_receive_status_ = false;
+  bool scheduled_send_close_ = false;
   // True once the promise for the call is started.
   // This corresponds to sending initial metadata, or cancelling before doing
   // so.
@@ -2906,7 +2907,10 @@ grpc_call_error ClientPromiseBasedCall::ValidateBatch(const grpc_op* ops,
         break;
       case GRPC_OP_RECV_INITIAL_METADATA:
       case GRPC_OP_RECV_MESSAGE:
+        if (op.flags != 0) return GRPC_CALL_ERROR_INVALID_FLAGS;
+        break;
       case GRPC_OP_SEND_CLOSE_FROM_CLIENT:
+        if (scheduled_send_close_) return GRPC_CALL_ERROR_TOO_MANY_OPERATIONS;
         if (op.flags != 0) return GRPC_CALL_ERROR_INVALID_FLAGS;
         break;
       case GRPC_OP_RECV_STATUS_ON_CLIENT:
@@ -2973,6 +2977,7 @@ void ClientPromiseBasedCall::CommitBatch(const grpc_op* ops, size_t nops,
             &server_to_client_messages_.receiver, false, spawner);
         break;
       case GRPC_OP_SEND_CLOSE_FROM_CLIENT:
+        scheduled_send_close_ = true;
         spawner.Spawn(
             "send_close_from_client",
             [this]() {

diff --git a/test/core/end2end/fuzzers/client_fuzzer_corpus/5694930614812672 b/test/core/end2end/fuzzers/client_fuzzer_corpus/5694930614812672
@@ -0,0 +1,41 @@
+api_actions {
+  create_call {
+    propagation_mask: 51456
+    method {
+      value: "\023"
+    }
+    timeout: 1560281087
+  }
+}
+api_actions {
+  queue_batch {
+    operations {
+      receive_status_on_client {
+      }
+    }
+    operations {
+      send_message {
+      }
+    }
+  }
+}
+api_actions {
+  queue_batch {
+    operations {
+    }
+    operations {
+      flags: 172184661
+    }
+  }
+}
+api_actions {
+  queue_batch {
+    operations {
+      receive_status_on_client {
+      }
+    }
+  }
+}
+config_vars {
+  experiments: 18374694180430544895
+}
diff --git a/test/core/end2end/fuzzers/client_fuzzer_corpus/6195677899063296 b/test/core/end2end/fuzzers/client_fuzzer_corpus/6195677899063296
@@ -0,0 +1,27 @@
+api_actions {
+  create_call {
+    method {
+      value: "="
+    }
+    timeout: -2045050880
+  }
+}
+api_actions {
+  queue_batch {
+    operations {
+      send_close_from_client {
+      }
+    }
+  }
+}
+api_actions {
+  queue_batch {
+    operations {
+      send_close_from_client {
+      }
+    }
+  }
+}
+config_vars {
+  experiments: 72057594037927935
+}