mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

dns_rdata_fromwire_text fixes:

Browse Source 
* Disallow compression pointers in names as we are not
  reading from a packet and as a result length checks fail.
* Increase totext buffer size as fuzzer ran out of space on
  big bitmaps.
* NUL terminate totext to make fault diagnosis easier.
* Add debugging messages to make fault diagnosie easier.
This commit is contained in:
Mark Andrews
2020-08-13 12:18:57 +10:00
parent 6c7e50c267
commit a92d973430
3 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
fuzz/dns_rdata_fromwire_text.c
View File

@@ -59,13 +59,21 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)),
static void static void
nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) { nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
va_list args;
UNUSED(cb); UNUSED(cb);
UNUSED(fmt);
if (debug) {
va_start(args, fmt);
vfprintf(stderr, fmt, args);
fprintf(stderr, "\n");
va_end(args);
}
} }
int int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
char totext[1024]; char totext[64 * 1044 * 4];
dns_compress_t cctx; dns_compress_t cctx;
dns_decompress_t dctx; dns_decompress_t dctx;
dns_rdatatype_t rdtype; dns_rdatatype_t rdtype;
@@ -113,10 +121,15 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
rdclass = classlist[(*data++) % classes]; rdclass = classlist[(*data++) % classes];
size--; size--;
if (debug) {
fprintf(stderr, "type=%u, class=%u\n", rdtype, rdclass);
}
dns_rdatacallbacks_init(&callbacks); dns_rdatacallbacks_init(&callbacks);
callbacks.warn = callbacks.error = nullmsg; callbacks.warn = callbacks.error = nullmsg;
dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY); /* Disallow decompression as we are reading a packet */
dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
isc_buffer_constinit(&source, data, size); isc_buffer_constinit(&source, data, size);
isc_buffer_add(&source, size); isc_buffer_add(&source, size);
@@ -129,14 +142,20 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
*/ */
CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, 0, CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, 0,
&target)); &target));
assert(rdata1.length == size);
/* /*
* Convert to text from wire. * Convert to text from wire.
*/ */
isc_buffer_init(&target, totext, sizeof(totext)); isc_buffer_init(&target, totext, sizeof(totext) - 1);
result = dns_rdata_totext(&rdata1, NULL, &target); result = dns_rdata_totext(&rdata1, NULL, &target);
assert(result == ISC_R_SUCCESS); assert(result == ISC_R_SUCCESS);
/*
* Make debugging easier by NUL terminating.
*/
totext[isc_buffer_usedlength(&target)] = 0;
/* /*
* Convert to wire from text. * Convert to wire from text.
*/ */

2
fuzz/fuzz.h
View File

@@ -23,6 +23,8 @@
ISC_LANG_BEGINDECLS ISC_LANG_BEGINDECLS
extern bool debug;
int int
LLVMFuzzerInitialize(int *argc __attribute__((unused)), LLVMFuzzerInitialize(int *argc __attribute__((unused)),
char ***argv __attribute__((unused))); char ***argv __attribute__((unused)));

6
fuzz/main.c
View File

@@ -24,6 +24,8 @@
#include <dirent.h> #include <dirent.h>
bool debug = false;
static void static void
test_all_from(const char *dirname) { test_all_from(const char *dirname) {
DIR *dirp; DIR *dirp;
@@ -98,6 +100,10 @@ main(int argc, char **argv) {
UNUSED(argc); UNUSED(argc);
UNUSED(argv); UNUSED(argv);
if (argc != 1) {
debug = true;
}
target = (target != NULL) ? target + 1 : argv[0]; target = (target != NULL) ? target + 1 : argv[0];
if (strncmp(target, "lt-", 3) == 0) { if (strncmp(target, "lt-", 3) == 0) {
target += 3; target += 3;