dns_rdata_fromwire_text fixes:

* Disallow compression pointers in names as we are not reading from a packet and as a result length checks fail. * Increase totext buffer size as fuzzer ran out of space on big bitmaps. * NUL terminate totext to make fault diagnosis easier. * Add debugging messages to make fault diagnosie easier.
2025-08-30 22:15:20 +00:00 · 2020-08-13 12:18:57 +10:00
parent 6c7e50c267
commit a92d973430
3 changed files with 31 additions and 4 deletions
--- a/fuzz/dns_rdata_fromwire_text.c
+++ b/fuzz/dns_rdata_fromwire_text.c
@@ -59,13 +59,21 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)),

 static void
 nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
+	va_list args;
+
 	UNUSED(cb);
-	UNUSED(fmt);
+
+	if (debug) {
+		va_start(args, fmt);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
 }

 int
 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-	char totext[1024];
+	char totext[64 * 1044 * 4];
 	dns_compress_t cctx;
 	dns_decompress_t dctx;
 	dns_rdatatype_t rdtype;
@@ -113,10 +121,15 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	rdclass = classlist[(*data++) % classes];
 	size--;

+	if (debug) {
+		fprintf(stderr, "type=%u, class=%u\n", rdtype, rdclass);
+	}
+
 	dns_rdatacallbacks_init(&callbacks);
 	callbacks.warn = callbacks.error = nullmsg;

-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+	/* Disallow decompression as we are reading a packet */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);

 	isc_buffer_constinit(&source, data, size);
 	isc_buffer_add(&source, size);
@@ -129,14 +142,20 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	 */
 	CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, 0,
 				 &target));
+	assert(rdata1.length == size);

 	/*
 	 * Convert to text from wire.
 	 */
-	isc_buffer_init(&target, totext, sizeof(totext));
+	isc_buffer_init(&target, totext, sizeof(totext) - 1);
 	result = dns_rdata_totext(&rdata1, NULL, &target);
 	assert(result == ISC_R_SUCCESS);

+	/*
+	 * Make debugging easier by NUL terminating.
+	 */
+	totext[isc_buffer_usedlength(&target)] = 0;
+
 	/*
 	 * Convert to wire from text.
 	 */
--- a/fuzz/fuzz.h
+++ b/fuzz/fuzz.h
@@ -23,6 +23,8 @@

 ISC_LANG_BEGINDECLS

+extern bool debug;
+
 int
 LLVMFuzzerInitialize(int *argc __attribute__((unused)),
 		     char ***argv __attribute__((unused)));
--- a/fuzz/main.c
+++ b/fuzz/main.c
@@ -24,6 +24,8 @@

 #include <dirent.h>

+bool debug = false;
+
 static void
 test_all_from(const char *dirname) {
 	DIR *dirp;
@@ -98,6 +100,10 @@ main(int argc, char **argv) {
 	UNUSED(argc);
 	UNUSED(argv);

+	if (argc != 1) {
+		debug = true;
+	}
+
 	target = (target != NULL) ? target + 1 : argv[0];
 	if (strncmp(target, "lt-", 3) == 0) {
 		target += 3;