The Samba-Bugzilla – Attachment 16371 Details for
Bug 14600
infinite loop in tldap filter parsing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
the fuzz target that finds this
0002-fuzz-tldap_push_filter.patch (text/plain), 4.69 KB, created by
Douglas Bagnall
on 2020-12-19 23:40:05 UTC
(
hide
)
Description:
the fuzz target that finds this
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2020-12-19 23:40:05 UTC
Size:
4.69 KB
patch
obsolete
>From 0114de5cceebb25e2b0bfdc1ab8f363cc3cef052 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Thu, 26 Nov 2020 16:04:15 +1300 >Subject: [PATCH 2/2] fuzz tldap_push_filter > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14600 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/fuzzing/fuzz_tldap_push_filter.c | 70 ++++++++++++++++++++++++++++ > lib/fuzzing/wscript_build | 9 ++++ > source3/include/tldap.h | 9 ++++ > source3/lib/tldap.c | 10 ++++ > 4 files changed, 98 insertions(+) > create mode 100644 lib/fuzzing/fuzz_tldap_push_filter.c > >diff --git a/lib/fuzzing/fuzz_tldap_push_filter.c b/lib/fuzzing/fuzz_tldap_push_filter.c >new file mode 100644 >index 00000000000..1ba57bd6863 >--- /dev/null >+++ b/lib/fuzzing/fuzz_tldap_push_filter.c >@@ -0,0 +1,70 @@ >+/* >+ Fuzz NMB parse_packet >+ Copyright (C) Catalyst IT 2020 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include "replace.h" >+#include "includes.h" >+//#include "auth/gensec/gensec.h" >+#include "fuzzing/fuzzing.h" >+//#include "lib/util/asn1.h" >+#include "libcli/security/security.h" >+ >+#include "tldap.h" >+//#include "tldap_util.h" >+#include "tldap_gensec_bind.h" >+#include <sys/types.h> >+#include <sys/stat.h> >+#include <fcntl.h> >+ >+ >+#define MAX_LENGTH (1024 * 100) >+char buf[MAX_LENGTH + 1]; >+ >+ >+int dummy_fd; >+ >+int LLVMFuzzerInitialize(int *argc, char ***argv) >+{ >+ dummy_fd = open("/dev/null", O_RDWR); >+ return 0; >+} >+ >+ >+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) >+{ >+ TALLOC_CTX *mem_ctx = NULL; >+ struct asn1_data *asn1 = NULL; >+ struct tldap_context *ld; >+ >+ if (len > MAX_LENGTH) { >+ return 0; >+ } >+ >+ /* Talloc_stackframe because the push_filter code uses talloc_tos() */ >+ mem_ctx = talloc_stackframe(); >+ asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH); >+ ld = tldap_context_create(mem_ctx, dummy_fd); >+ if (ld == NULL) { >+ abort(); >+ } >+ memcpy(buf, input, len); >+ buf[len] = '\0'; >+ >+ tldap_push_filter_fuzz(ld, asn1, buf); >+ talloc_free(mem_ctx); >+ return 0; >+} >diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build >index 1322d713d0b..60d2878be39 100644 >--- a/lib/fuzzing/wscript_build >+++ b/lib/fuzzing/wscript_build >@@ -82,6 +82,15 @@ bld.SAMBA_BINARY('fuzz_cli_credentials_parse_string', > deps='fuzzing samba-credentials afl-fuzz-main', > fuzzer=True) > >+bld.SAMBA_BINARY('fuzz_tldap_push_filter', >+ source='fuzz_tldap_push_filter.c', >+ deps='''fuzzing TLDAP afl-fuzz-main >+ talloc >+ smbconf >+ libsmb >+ LOCKING >+ ''', >+ fuzzer=True) > # The fuzz_type and fuzz_function parameters make the built > # fuzzer take the same input as ndrdump and so the same that > # could be sent to the client or server as the stub data. >diff --git a/source3/include/tldap.h b/source3/include/tldap.h >index 23e3f1b655b..138d218a605 100644 >--- a/source3/include/tldap.h >+++ b/source3/include/tldap.h >@@ -312,4 +312,13 @@ void tldap_set_debug(struct tldap_context *ld, > > #define TLDAP_CONTROL_PAGEDRESULTS "1.2.840.113556.1.4.319" > >+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION >+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */ >+#include "lib/util/asn1.h" >+ >+bool tldap_push_filter_fuzz(struct tldap_context *ld, >+ struct asn1_data *data, >+ const char *filter); >+#endif >+ > #endif >diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c >index 082a3e0b481..8dbea0eaf53 100644 >--- a/source3/lib/tldap.c >+++ b/source3/lib/tldap.c >@@ -1797,6 +1797,16 @@ static bool tldap_push_filter(struct tldap_context *ld, > return ret; > } > >+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION >+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */ >+bool tldap_push_filter_fuzz(struct tldap_context *ld, >+ struct asn1_data *data, >+ const char *filter) >+{ >+ return tldap_push_filter(ld, data, filter); >+} >+#endif >+ > /*****************************************************************************/ > > static void tldap_search_done(struct tevent_req *subreq); >-- >2.20.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14600
:
16370
|
16371
|
17283