From 0114de5cceebb25e2b0bfdc1ab8f363cc3cef052 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 26 Nov 2020 16:04:15 +1300
Subject: [PATCH 2/2] fuzz tldap_push_filter

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14600

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 lib/fuzzing/fuzz_tldap_push_filter.c | 70 ++++++++++++++++++++++++++++
 lib/fuzzing/wscript_build            |  9 ++++
 source3/include/tldap.h              |  9 ++++
 source3/lib/tldap.c                  | 10 ++++
 4 files changed, 98 insertions(+)
 create mode 100644 lib/fuzzing/fuzz_tldap_push_filter.c

diff --git a/lib/fuzzing/fuzz_tldap_push_filter.c b/lib/fuzzing/fuzz_tldap_push_filter.c
new file mode 100644
index 00000000000..1ba57bd6863
--- /dev/null
+++ b/lib/fuzzing/fuzz_tldap_push_filter.c
@@ -0,0 +1,70 @@
+/*
+  Fuzz NMB parse_packet
+  Copyright (C) Catalyst IT 2020
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 3 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "includes.h"
+//#include "auth/gensec/gensec.h"
+#include "fuzzing/fuzzing.h"
+//#include "lib/util/asn1.h"
+#include "libcli/security/security.h"
+
+#include "tldap.h"
+//#include "tldap_util.h"
+#include "tldap_gensec_bind.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+#define MAX_LENGTH (1024 * 100)
+char buf[MAX_LENGTH + 1];
+
+
+int dummy_fd;
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+	dummy_fd = open("/dev/null", O_RDWR);
+	return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+	TALLOC_CTX *mem_ctx = NULL;
+	struct asn1_data *asn1 = NULL;
+	struct tldap_context *ld;
+
+	if (len > MAX_LENGTH) {
+		return 0;
+	}
+
+	/* Talloc_stackframe because the push_filter code uses talloc_tos() */
+	mem_ctx = talloc_stackframe();
+	asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
+	ld = tldap_context_create(mem_ctx, dummy_fd);
+	if (ld == NULL) {
+		abort();
+	}
+	memcpy(buf, input, len);
+	buf[len]  = '\0';
+
+	tldap_push_filter_fuzz(ld, asn1, buf);
+	talloc_free(mem_ctx);
+	return 0;
+}
diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index 1322d713d0b..60d2878be39 100644
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -82,6 +82,15 @@ bld.SAMBA_BINARY('fuzz_cli_credentials_parse_string',
                  deps='fuzzing samba-credentials afl-fuzz-main',
                  fuzzer=True)
 
+bld.SAMBA_BINARY('fuzz_tldap_push_filter',
+                 source='fuzz_tldap_push_filter.c',
+                 deps='''fuzzing TLDAP afl-fuzz-main
+                      talloc
+                      smbconf
+                      libsmb
+                      LOCKING
+                         ''',
+                 fuzzer=True)
 # The fuzz_type and fuzz_function parameters make the built
 # fuzzer take the same input as ndrdump and so the same that
 # could be sent to the client or server as the stub data.
diff --git a/source3/include/tldap.h b/source3/include/tldap.h
index 23e3f1b655b..138d218a605 100644
--- a/source3/include/tldap.h
+++ b/source3/include/tldap.h
@@ -312,4 +312,13 @@ void tldap_set_debug(struct tldap_context *ld,
 
 #define TLDAP_CONTROL_PAGEDRESULTS "1.2.840.113556.1.4.319"
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */
+#include "lib/util/asn1.h"
+
+bool tldap_push_filter_fuzz(struct tldap_context *ld,
+			    struct asn1_data *data,
+			    const char *filter);
+#endif
+
 #endif
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index 082a3e0b481..8dbea0eaf53 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1797,6 +1797,16 @@ static bool tldap_push_filter(struct tldap_context *ld,
 	return ret;
 }
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */
+bool tldap_push_filter_fuzz(struct tldap_context *ld,
+			    struct asn1_data *data,
+			    const char *filter)
+{
+	return tldap_push_filter(ld, data, filter);
+}
+#endif
+
 /*****************************************************************************/
 
 static void tldap_search_done(struct tevent_req *subreq);
-- 
2.20.1