Crash in recvfuzz.exe

[gvanem]

Describe the bug

I just did a git pull and a fresh build of MsQuic on Win-10 using MSVC's cl ver. 19.39.33428 for x64.

Running bin\Release\recvfuzz.exe, prints:

Using seed value: 1968512925
Remote address: 127.0.0.1:9999
Failed to create sec config!

Then WinDbg kicks in; some modules and the offending instruction:

...
ModLoad: 00007ffe`b5030000 00007ffe`b50c8000   C:\Windows\system32\schannel.DLL
ModLoad: 00007ffe`97280000 00007ffe`97295000   C:\Windows\SYSTEM32\mskeyprotect.dll
(4494.27e0): Access violation - code c0000005 (!!! second chance !!!)

recvfuzz!CxPlatTlsInitialize+0x3d:
00007ff7`008aab6d 8b4810          mov     ecx,dword ptr [rax+10h] ds:00000000`00000010=????????

Call-stack:

recvfuzz!CxPlatTlsInitialize(struct CXPLAT_TLS_CONFIG * Config = 0x000000c6`bdafcd60, struct CXPLAT_TLS_PROCESS_STATE * State = 0x000000c6`bdafdf30, struct CXPLAT_TLS ** NewTlsContext = 0x000000c6`bdafdf20)+0x3d
recvfuzz!TlsContext::TlsContext(void)+0x213
recvfuzz!WriteInitialCryptoFrame(unsigned short * Offset = 0x000000c6`bdafe158, unsigned short BufferLength = 0x1000, unsigned char * Buffer = 0x000000c6`bdafe270 "H???")+0x30
recvfuzz!WriteClientInitialPacket(unsigned int PacketNumber = 0x34c, unsigned char CidLength = 0x08 '', unsigned short BufferLength = 0, unsigned char * Buffer = 0x000000c6`bdaff360 "", unsigned short * PacketLength = 0x000000c6`bdaff2f4, unsigned short * HeaderLength = 0x000000c6`bdaff2f0)+0x9c
recvfuzz!buildInitialPacket(struct CXPLAT_SOCKET * Binding = 0x0000028c`ccf84890, struct CXPLAT_ROUTE * Route = 0x000000c6`bdaff5f0, int64 * PacketCount = 0x000000c6`bdaff658, int64 * TotalByteCount = 0x000000c6`bdaff660, bool fuzzing = true)+0x16b
recvfuzz!fuzz(struct CXPLAT_SOCKET * Binding = 0x0000028c`ccf84890, struct CXPLAT_ROUTE * Route = 0x000000c6`bdaff6d0)+0x18a
recvfuzz!start(void)+0x547
recvfuzz!main(int argc = 0n1, char ** argv = 0x0000028c`cae7f858)+0x124
recvfuzz!invoke_main(void)+0x22
recvfuzz!__scrt_common_main_seh(void)+0x10c
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Root-cause; since in src/platform/tls_schannel.c (line 1542):

 if (Config->IsServer != !(Config->SecConfig->Flags & QUIC_CREDENTIAL_FLAG_CLIENT)) {
   //                              ^__ this is NULL!!
   ...
  }

Where/how should the Config->SecConfig value be set?

Affected OS

• Windows
• Linux
• macOS
• Other (specify below)

Additional OS information

Win 10. Build 19045, version 22H2 (OS-build 19045.3996).

MsQuic version

main

Steps taken to reproduce bug

Run recvfuzz.exe with no parameters. Seems it doesn't matter.

Expected behavior

Not crash. Duh!

Actual outcome

See above.

Additional details

Not really.

[nibanks]

Did you run our prepare-machine.ps1 script first?

[gvanem]

Yes; pwsh scripts\prepare-machine.ps1 -ForTest

[nibanks]

We haven't testing this out much on OpenSSL yet. Did you figure anything out here?