From a92d97343042b49cf8d71492d57777e01b918613 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 13 Aug 2020 12:18:57 +1000
Subject: [PATCH] dns_rdata_fromwire_text fixes:

* Disallow compression pointers in names as we are not
  reading from a packet and as a result length checks fail.
* Increase totext buffer size as fuzzer ran out of space on
  big bitmaps.
* NUL terminate totext to make fault diagnosis easier.
* Add debugging messages to make fault diagnosie easier.
---
 fuzz/dns_rdata_fromwire_text.c | 27 +++++++++++++++++++++++----
 fuzz/fuzz.h                    |  2 ++
 fuzz/main.c                    |  6 ++++++
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/fuzz/dns_rdata_fromwire_text.c b/fuzz/dns_rdata_fromwire_text.c
index 20db8058d3..a71ba5ef37 100644
--- a/fuzz/dns_rdata_fromwire_text.c
+++ b/fuzz/dns_rdata_fromwire_text.c
@@ -59,13 +59,21 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)),
 
 static void
 nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
+	va_list args;
+
 	UNUSED(cb);
-	UNUSED(fmt);
+
+	if (debug) {
+		va_start(args, fmt);
+		vfprintf(stderr, fmt, args);
+		fprintf(stderr, "\n");
+		va_end(args);
+	}
 }
 
 int
 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-	char totext[1024];
+	char totext[64 * 1044 * 4];
 	dns_compress_t cctx;
 	dns_decompress_t dctx;
 	dns_rdatatype_t rdtype;
@@ -113,10 +121,15 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	rdclass = classlist[(*data++) % classes];
 	size--;
 
+	if (debug) {
+		fprintf(stderr, "type=%u, class=%u\n", rdtype, rdclass);
+	}
+
 	dns_rdatacallbacks_init(&callbacks);
 	callbacks.warn = callbacks.error = nullmsg;
 
-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+	/* Disallow decompression as we are reading a packet */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
 
 	isc_buffer_constinit(&source, data, size);
 	isc_buffer_add(&source, size);
@@ -129,14 +142,20 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	 */
 	CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, 0,
 				 &target));
+	assert(rdata1.length == size);
 
 	/*
 	 * Convert to text from wire.
 	 */
-	isc_buffer_init(&target, totext, sizeof(totext));
+	isc_buffer_init(&target, totext, sizeof(totext) - 1);
 	result = dns_rdata_totext(&rdata1, NULL, &target);
 	assert(result == ISC_R_SUCCESS);
 
+	/*
+	 * Make debugging easier by NUL terminating.
+	 */
+	totext[isc_buffer_usedlength(&target)] = 0;
+
 	/*
 	 * Convert to wire from text.
 	 */
diff --git a/fuzz/fuzz.h b/fuzz/fuzz.h
index a3f4ae8388..c206528de6 100644
--- a/fuzz/fuzz.h
+++ b/fuzz/fuzz.h
@@ -23,6 +23,8 @@
 
 ISC_LANG_BEGINDECLS
 
+extern bool debug;
+
 int
 LLVMFuzzerInitialize(int *argc __attribute__((unused)),
 		     char ***argv __attribute__((unused)));
diff --git a/fuzz/main.c b/fuzz/main.c
index d1ae9492df..85a9031a0f 100644
--- a/fuzz/main.c
+++ b/fuzz/main.c
@@ -24,6 +24,8 @@
 
 #include <dirent.h>
 
+bool debug = false;
+
 static void
 test_all_from(const char *dirname) {
 	DIR *dirp;
@@ -98,6 +100,10 @@ main(int argc, char **argv) {
 	UNUSED(argc);
 	UNUSED(argv);
 
+	if (argc != 1) {
+		debug = true;
+	}
+
 	target = (target != NULL) ? target + 1 : argv[0];
 	if (strncmp(target, "lt-", 3) == 0) {
 		target += 3;