OER encoding rountrip confuses fields

[pcwizz]

d1 is the original import from the fuzzer that is decoded into s1. We then encode s1 to get d2. d1 and d2 are different but this is acceptable and even desirable that the OER codec can produce more concise valid OER than libfuzzer that nows nothing of OER other than a starting corpus and rejected/accepted inputs. We then decode d2 into s2. s1 and s2 are different they shouldn't be all we have done is re-encoded the data.

d1: [4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 132, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 102, 4, 4, 4, 4, 4, 4, 113, 117, 10]
d2: [4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4]
s1: Message { version: 67372036, global_data: HeaderData { message_id: 67372036, max_size: 67372036, flags: b"", security_model: 67372036 }, security_parameters: b"\x04\x04\x04\x04", scoped_data: EncryptedPdu(b"\x04\x04\x04\x04") }
s2: Message { version: 67372036, global_data: HeaderData { message_id: 67372036, max_size: 67372036, flags: b"\x04\x04\x04\x04", security_model: 67372036 }, security_parameters: b"\x04\x04\x04\x04", scoped_data: EncryptedPdu(b"") }

EncryptedPdu and flags are both the same type OctetString it is interesting that they appear to get confused.

Closer inspection will be required to understand where the bug occurs. Whether it is in the encoder or the decoder.

This fuzz harness was used:

#![no_main]

use libfuzzer_sys::{Corpus,fuzz_target};

fuzz_target!(|data: &[u8]| -> Corpus {
    let s1 = match rasn::oer::decode::<rasn_snmp::v3::Message>(data) {
        Ok(v) => v,
        Err(_) => return Corpus::Reject,
    };
    let d2 = rasn::oer::encode(&s1).unwrap();
    let s2 = rasn::oer::decode::<rasn_snmp::v3::Message>(&d2).unwrap();
    assert_eq!(s1,s2);
    Corpus::Keep
});

Output from the fuzz harness including a back trace:

thread '<unnamed>' panicked at fuzz_targets/cmp_snmp_v3_oer.rs:12:5:
assertion `left == right` failed
  left: Message { version: 67372036, global_data: HeaderData { message_id: 67372036, max_size: 67372036, flags: b"", security_model: 67372036 }, security_parameters: b"\x04\x04\x04\x04", scoped_data: EncryptedPdu(b"\x04\x04\x04\x04") }
 right: Message { version: 67372036, global_data: HeaderData { message_id: 67372036, max_size: 67372036, flags: b"\x04\x04\x04\x04", security_model: 67372036 }, security_parameters: b"\x04\x04\x04\x04", scoped_data: EncryptedPdu(b"") }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==89563== ERROR: libFuzzer: deadly signal
    #0 0x1049f9470 in __sanitizer_print_stack_trace+0x28 (librustc-nightly_rt.asan.dylib:arm64+0x59470)
    #1 0x10367c5fc in fuzzer::PrintStackTrace()+0x30 (cmp_snmp_v3_oer:arm64+0x1008445fc)
    #2 0x10366f590 in fuzzer::Fuzzer::CrashCallback()+0x54 (cmp_snmp_v3_oer:arm64+0x100837590)
    #3 0x18053f580 in _sigtramp+0x34 (libsystem_platform.dylib:arm64+0x4580)
    #4 0x1b5c00018050ec1c  (<unknown module>)
    #5 0x622d00018041ba1c  (<unknown module>)
    #6 0x36238001036e8698  (<unknown module>)
    #7 0x1037351f4 in std::process::abort::h34c97040caf7df38+0x8 (cmp_snmp_v3_oer:arm64+0x1008fd1f4)
    #8 0x10366e4c0 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h7a53761f12b67db4+0xb8 (cmp_snmp_v3_oer:arm64+0x1008364c0)
    #9 0x1036df670 in std::panicking::rust_panic_with_hook::hd4efef7c95419c65+0x5c4 (cmp_snmp_v3_oer:arm64+0x1008a7670)
    #10 0x1036df074 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hb607843a3e5e990f+0x94 (cmp_snmp_v3_oer:arm64+0x1008a7074)
    #11 0x1036dccb4 in std::sys_common::backtrace::__rust_end_short_backtrace::h0428fbb24c431116+0x8 (cmp_snmp_v3_oer:arm64+0x1008a4cb4)
    #12 0x1036dede4 in rust_begin_unwind+0x30 (cmp_snmp_v3_oer:arm64+0x1008a6de4)
    #13 0x103736d78 in core::panicking::panic_fmt::hba5d86399e74ef8b+0x28 (cmp_snmp_v3_oer:arm64+0x1008fed78)
    #14 0x10373711c in core::panicking::assert_failed_inner::h362fdfc15ba4d131+0x114 (cmp_snmp_v3_oer:arm64+0x1008ff11c)
    #15 0x10372ea9c in core::panicking::assert_failed::h594dd98ea7807013 panicking.rs:363
    #16 0x102f39c10 in cmp_snmp_v3_oer::_::__libfuzzer_sys_run::h11621c693c14d32b cmp_snmp_v3_oer.rs:12
    #17 0x102f38ea0 in rust_fuzzer_test_input lib.rs:297
    #18 0x103668e4c in std::panicking::try::do_call::h26ba1b79d651ec21+0xc4 (cmp_snmp_v3_oer:arm64+0x100830e4c)
    #19 0x10366e73c in __rust_try+0x20 (cmp_snmp_v3_oer:arm64+0x10083673c)
    #20 0x10366db78 in LLVMFuzzerTestOneInput+0x16c (cmp_snmp_v3_oer:arm64+0x100835b78)
    #21 0x103670e54 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x150 (cmp_snmp_v3_oer:arm64+0x100838e54)
    #22 0x1036704e4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*)+0x48 (cmp_snmp_v3_oer:arm64+0x1008384e4)
    #23 0x103671ed0 in fuzzer::Fuzzer::MutateAndTestOne()+0x230 (cmp_snmp_v3_oer:arm64+0x100839ed0)
    #24 0x103672d08 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>&)+0x398 (cmp_snmp_v3_oer:arm64+0x10083ad08)
    #25 0x103693ee0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1d74 (cmp_snmp_v3_oer:arm64+0x10085bee0)
    #26 0x1036a1758 in main+0x24 (cmp_snmp_v3_oer:arm64+0x100869758)
    #27 0x1801860dc  (<unknown module>)
    #28 0xe155fffffffffffc  (<unknown module>)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 ShuffleBytes-ChangeByte-; base unit: b2777fa3fe0d8b568a3a1c77bb3474dac55567b2
0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x84,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x4,0x66,0x4,0x4,0x4,0x4,0x4,0x4,0x71,0x75,0xa,
\004\004\004\004\004\004\004\004\004\004\004\004\004\004\004\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\204\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\004\004\004\004\004\004\004\004\004\004\004\004\004\004\004\004\004\004\004f\004\004\004\004\004\004qu\012
artifact_prefix='/Users/pcwizz/work/ROS/RASN/rasn/fuzz/artifacts/cmp_snmp_v3_oer/'; Test unit written to /Users/pcwizz/work/ROS/RASN/rasn/fuzz/artifacts/cmp_snmp_v3_oer/crash-4d1ffd1f959dab469e9724df9fcde5cdd8dcac18
Base64: BAQEBAQEBAQEBAQEBAQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQEBAQEBAQEBAQEBAQEZgQEBAQEBHF1Cg==

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/cmp_snmp_v3_oer/crash-4d1ffd1f959dab469e9724df9fcde5cdd8dcac18

Output of `std::fmt::Debug`:

        [
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            132,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            4,
            102,
            4,
            4,
            4,
            4,
            4,
            4,
            113,
            117,
            10,
        ]

[XAMPPRocky]

Cc @Nicceboy

[Nicceboy]

Thanks for the issue! I think this is related to issue #258 as there is also untagged choice present.