TypeError: 'int' object is not subscriptable

[shoeper]

On case 11868501 boofuzz crashed with TypeError: 'int' object is not subscriptable. Maybe someone has an idea.

  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1274, in fuzz
    self._main_fuzz_loop(self._generate_mutations_indefinitely(max_depth=max_depth))
  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1398, in _main_fuzz_loop
    self._fuzz_current_case(mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1764, in _fuzz_current_case
    self.transmit_fuzz(
  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1176, in transmit_fuzz
    data = self.fuzz_node.render(mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/request.py", line 130, in render
    return self.get_child_data(mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable_block.py", line 71, in get_child_data
    rendered += item.render(mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable.py", line 154, in render
    return self.encode(value=self.get_value(mutation_context=mutation_context), mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/block.py", line 114, in encode
    child_data = super(Block, self).get_child_data(mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable_block.py", line 71, in get_child_data
    rendered += item.render(mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable.py", line 154, in render
    return self.encode(value=self.get_value(mutation_context=mutation_context), mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/block.py", line 114, in encode
    child_data = super(Block, self).get_child_data(mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable_block.py", line 71, in get_child_data
    rendered += item.render(mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable.py", line 154, in render
    return self.encode(value=self.get_value(mutation_context=mutation_context), mutation_context=mutation_context)
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/size.py", line 112, in encode
    self._length_to_bytes(self._calculated_length(mutation_context=mutation_context))
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/size.py", line 122, in _calculated_length
    self.offset
TypeError: 'int' object is not subscriptable

Previously, I also had crashes when there was a connection reset on opening the connection. I worked around those by introducing a retry mechanism. I could submit a PR if you think it would be helpful.

I also ran into a SIGSEGV twice, but have no idea where that comes from, so far (fish: Job 1, 'cmd' terminated by signal SIGSEGV (Address boundary error)).

Fatal Python error: Segmentation fault
 
Thread 0x00007f8a713ad640 (most recent call first):
  File "/usr/lib64/python3.9/selectors.py", line 469 in select
  File "/usr/lib64/python3.9/asyncio/base_events.py", line 1854 in _run_once
  File "/usr/lib64/python3.9/asyncio/base_events.py", line 596 in run_forever
  File "/home/sven/.local/lib/python3.9/site-packages/tornado/platform/asyncio.py", line 132 in start
  File "/usr/lib64/python3.9/threading.py", line 892 in run
  File "/usr/lib64/python3.9/threading.py", line 954 in _bootstrap_inner
  File "/usr/lib64/python3.9/threading.py", line 912 in _bootstrap
 
Current thread 0x00007f8a80ff1740 (most recent call first):
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable.py", line 154 in render
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/size.py", line 149 in _length_of_target_block
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/size.py", line 11 in safe_recurse
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/size.py", line 124 in _calculated_length
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/size.py", line 112 in encode
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable.py", line 154 in render
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable_block.py", line 71 in get_child_data
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/block.py", line 114 in encode
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable.py", line 154 in render
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable_block.py", line 71 in get_child_data
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/block.py", line 114 in encode
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable.py", line 154 in render
  File "/home/sven/Documents/dev/boofuzz/boofuzz/fuzzable_block.py", line 71 in get_child_data
  File "/home/sven/Documents/dev/boofuzz/boofuzz/blocks/request.py", line 130 in render
  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1177 in transmit_fuzz
  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1766 in _fuzz_current_case
  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1400 in _main_fuzz_loop
  File "/home/sven/Documents/dev/boofuzz/boofuzz/sessions.py", line 1276 in fuzz

[SR4ven]

Sorry for the delayed answer @shoeper. Thanks for reporting.

At first sight, I have to idea what's going wrong at the type error but I'll take a closer look at it. At that point in the code we only add some integers but apparently there is an edge case where one variable gets a different type.

What crashed did you get when a connection reset occurred during the connection opening? There might be some exception handling missing. Feel free to open a PR and we'll take a look at it.

That segfault seems obscure too. Does it happen in the webserver thread or boofuzz main thread? Maybe it's the tornado webserver.

[jtpereyda]

@shoeper Are you able to share your script and any command line arguments you were using? That could make it easier to reproduce.

I can't tell much from the trace you attached, though the error looks familiar. If I recall anything I'll add it here.