Attachment 16371 Details for Bug 14600 – the fuzz target that finds this

[patch] the fuzz target that finds this

0002-fuzz-tldap_push_filter.patch (text/plain), 4.69 KB, created by Douglas Bagnall on 2020-12-19 23:40:05 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Douglas Bagnall

Created: 2020-12-19 23:40:05 UTC

Size: 4.69 KB

patch

obsolete

>From 0114de5cceebb25e2b0bfdc1ab8f363cc3cef052 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Thu, 26 Nov 2020 16:04:15 +1300
>Subject: [PATCH 2/2] fuzz tldap_push_filter
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14600
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> lib/fuzzing/fuzz_tldap_push_filter.c | 70 ++++++++++++++++++++++++++++
> lib/fuzzing/wscript_build            |  9 ++++
> source3/include/tldap.h              |  9 ++++
> source3/lib/tldap.c                  | 10 ++++
> 4 files changed, 98 insertions(+)
> create mode 100644 lib/fuzzing/fuzz_tldap_push_filter.c
>
>diff --git a/lib/fuzzing/fuzz_tldap_push_filter.c b/lib/fuzzing/fuzz_tldap_push_filter.c
>new file mode 100644
>index 00000000000..1ba57bd6863
>--- /dev/null
>+++ b/lib/fuzzing/fuzz_tldap_push_filter.c
>@@ -0,0 +1,70 @@
>+/*
>+  Fuzz NMB parse_packet
>+  Copyright (C) Catalyst IT 2020
>+
>+  This program is free software; you can redistribute it and/or modify
>+  it under the terms of the GNU General Public License as published by
>+  the Free Software Foundation; either version 3 of the License, or
>+  (at your option) any later version.
>+
>+  This program is distributed in the hope that it will be useful,
>+  but WITHOUT ANY WARRANTY; without even the implied warranty of
>+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>+  GNU General Public License for more details.
>+
>+  You should have received a copy of the GNU General Public License
>+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
>+*/
>+
>+#include "replace.h"
>+#include "includes.h"
>+//#include "auth/gensec/gensec.h"
>+#include "fuzzing/fuzzing.h"
>+//#include "lib/util/asn1.h"
>+#include "libcli/security/security.h"
>+
>+#include "tldap.h"
>+//#include "tldap_util.h"
>+#include "tldap_gensec_bind.h"
>+#include <sys/types.h>
>+#include <sys/stat.h>
>+#include <fcntl.h>
>+
>+
>+#define MAX_LENGTH (1024 * 100)
>+char buf[MAX_LENGTH + 1];
>+
>+
>+int dummy_fd;
>+
>+int LLVMFuzzerInitialize(int *argc, char ***argv)
>+{
>+	dummy_fd = open("/dev/null", O_RDWR);
>+	return 0;
>+}
>+
>+
>+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
>+{
>+	TALLOC_CTX *mem_ctx = NULL;
>+	struct asn1_data *asn1 = NULL;
>+	struct tldap_context *ld;
>+
>+	if (len > MAX_LENGTH) {
>+		return 0;
>+	}
>+
>+	/* Talloc_stackframe because the push_filter code uses talloc_tos() */
>+	mem_ctx = talloc_stackframe();
>+	asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
>+	ld = tldap_context_create(mem_ctx, dummy_fd);
>+	if (ld == NULL) {
>+		abort();
>+	}
>+	memcpy(buf, input, len);
>+	buf[len]  = '\0';
>+
>+	tldap_push_filter_fuzz(ld, asn1, buf);
>+	talloc_free(mem_ctx);
>+	return 0;
>+}
>diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
>index 1322d713d0b..60d2878be39 100644
>--- a/lib/fuzzing/wscript_build
>+++ b/lib/fuzzing/wscript_build
>@@ -82,6 +82,15 @@ bld.SAMBA_BINARY('fuzz_cli_credentials_parse_string',
>                  deps='fuzzing samba-credentials afl-fuzz-main',
>                  fuzzer=True)
> 
>+bld.SAMBA_BINARY('fuzz_tldap_push_filter',
>+                 source='fuzz_tldap_push_filter.c',
>+                 deps='''fuzzing TLDAP afl-fuzz-main
>+                      talloc
>+                      smbconf
>+                      libsmb
>+                      LOCKING
>+                         ''',
>+                 fuzzer=True)
> # The fuzz_type and fuzz_function parameters make the built
> # fuzzer take the same input as ndrdump and so the same that
> # could be sent to the client or server as the stub data.
>diff --git a/source3/include/tldap.h b/source3/include/tldap.h
>index 23e3f1b655b..138d218a605 100644
>--- a/source3/include/tldap.h
>+++ b/source3/include/tldap.h
>@@ -312,4 +312,13 @@ void tldap_set_debug(struct tldap_context *ld,
> 
> #define TLDAP_CONTROL_PAGEDRESULTS "1.2.840.113556.1.4.319"
> 
>+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
>+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */
>+#include "lib/util/asn1.h"
>+
>+bool tldap_push_filter_fuzz(struct tldap_context *ld,
>+			    struct asn1_data *data,
>+			    const char *filter);
>+#endif
>+
> #endif
>diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
>index 082a3e0b481..8dbea0eaf53 100644
>--- a/source3/lib/tldap.c
>+++ b/source3/lib/tldap.c
>@@ -1797,6 +1797,16 @@ static bool tldap_push_filter(struct tldap_context *ld,
> 	return ret;
> }
> 
>+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
>+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */
>+bool tldap_push_filter_fuzz(struct tldap_context *ld,
>+			    struct asn1_data *data,
>+			    const char *filter)
>+{
>+	return tldap_push_filter(ld, data, filter);
>+}
>+#endif
>+
> /*****************************************************************************/
> 
> static void tldap_search_done(struct tevent_req *subreq);
>-- 
>2.20.1
>

Actions: View

Attachments on bug 14600: 16370 | 16371 | 17283