The Samba-Bugzilla – Attachment 16580 Details for
Bug 14684
buffer overruns in talloc_string_sub2() due to false strstr_m matches
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
The fuzzer.
0001-add-fuzz_talloc_string_sub-family.patch (text/plain), 7.74 KB, created by
Douglas Bagnall
on 2021-04-06 02:34:45 UTC
(
hide
)
Description:
The fuzzer.
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2021-04-06 02:34:45 UTC
Size:
7.74 KB
patch
obsolete
>From 76ed615b8a5331188c1387c711f01d768d510fa0 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Tue, 9 Mar 2021 10:52:32 +1300 >Subject: [PATCH] add fuzz_talloc_string_sub family > >--- > lib/fuzzing/fuzz_talloc_all_string_sub.c | 71 ++++++++++++++++++++++ > lib/fuzzing/fuzz_talloc_string_sub.c | 71 ++++++++++++++++++++++ > lib/fuzzing/fuzz_talloc_string_sub2.c | 76 ++++++++++++++++++++++++ > lib/fuzzing/wscript_build | 15 +++++ > 4 files changed, 233 insertions(+) > create mode 100644 lib/fuzzing/fuzz_talloc_all_string_sub.c > create mode 100644 lib/fuzzing/fuzz_talloc_string_sub.c > create mode 100644 lib/fuzzing/fuzz_talloc_string_sub2.c > >diff --git a/lib/fuzzing/fuzz_talloc_all_string_sub.c b/lib/fuzzing/fuzz_talloc_all_string_sub.c >new file mode 100644 >index 00000000000..081c962e1dd >--- /dev/null >+++ b/lib/fuzzing/fuzz_talloc_all_string_sub.c >@@ -0,0 +1,71 @@ >+/* >+ Fuzz NMB parse_packet >+ Copyright (C) Catalyst IT 2020 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include "source3/include/includes.h" >+#include "libsmb/libsmb.h" >+#include "util/bytearray.h" >+#include "fuzzing/fuzzing.h" >+//#include "util/substitute.h" >+ >+ >+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) >+{ >+ TALLOC_CTX *mem_ctx = NULL; >+ char *result = NULL; >+ char s[65536]; >+ char pattern[65536]; >+ char insert[65536]; >+ size_t pattern_len, insert_len; >+ >+ if (len < 4) { >+ return 0; >+ } >+ pattern_len = PULL_LE_U16(input, 0); >+ insert_len = PULL_LE_U16(input, 2); >+ input += 4; >+ len -= 4; >+ if (pattern_len + insert_len > len) { >+ return 0; >+ } >+ >+ len -= (pattern_len + insert_len); >+ if (len >= sizeof(s)) { >+ return 0; >+ } >+ memcpy(pattern, input, pattern_len); >+ pattern[pattern_len] = '\0'; >+ input += pattern_len; >+ >+ memcpy(insert, input, insert_len); >+ insert[insert_len] = '\0'; >+ input += insert_len; >+ >+ memcpy(s, input, len); >+ s[len] = '\0'; >+ mem_ctx = talloc_new(NULL); >+ result = talloc_all_string_sub(mem_ctx, s, pattern, insert); >+ talloc_free(mem_ctx); >+ >+ return 0; >+} >+ >+ >+int LLVMFuzzerInitialize(int *argc, char ***argv) >+{ >+ return 0; >+} >diff --git a/lib/fuzzing/fuzz_talloc_string_sub.c b/lib/fuzzing/fuzz_talloc_string_sub.c >new file mode 100644 >index 00000000000..0d5dd2a0248 >--- /dev/null >+++ b/lib/fuzzing/fuzz_talloc_string_sub.c >@@ -0,0 +1,71 @@ >+/* >+ Fuzz NMB parse_packet >+ Copyright (C) Catalyst IT 2020 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include "source3/include/includes.h" >+#include "libsmb/libsmb.h" >+#include "util/bytearray.h" >+#include "fuzzing/fuzzing.h" >+//#include "util/substitute.h" >+ >+ >+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) >+{ >+ TALLOC_CTX *mem_ctx = NULL; >+ char *result = NULL; >+ char s[65536]; >+ char pattern[65536]; >+ char insert[65536]; >+ size_t pattern_len, insert_len; >+ >+ if (len < 4) { >+ return 0; >+ } >+ pattern_len = PULL_LE_U16(input, 0); >+ insert_len = PULL_LE_U16(input, 2); >+ input += 4; >+ len -= 4; >+ if (pattern_len + insert_len > len) { >+ return 0; >+ } >+ >+ len -= (pattern_len + insert_len); >+ if (len >= sizeof(s)) { >+ return 0; >+ } >+ memcpy(pattern, input, pattern_len); >+ pattern[pattern_len] = '\0'; >+ input += pattern_len; >+ >+ memcpy(insert, input, insert_len); >+ insert[insert_len] = '\0'; >+ input += insert_len; >+ >+ memcpy(s, input, len); >+ s[len] = '\0'; >+ mem_ctx = talloc_new(NULL); >+ result = talloc_string_sub(mem_ctx, s, pattern, insert); >+ talloc_free(mem_ctx); >+ >+ return 0; >+} >+ >+ >+int LLVMFuzzerInitialize(int *argc, char ***argv) >+{ >+ return 0; >+} >diff --git a/lib/fuzzing/fuzz_talloc_string_sub2.c b/lib/fuzzing/fuzz_talloc_string_sub2.c >new file mode 100644 >index 00000000000..26451a86783 >--- /dev/null >+++ b/lib/fuzzing/fuzz_talloc_string_sub2.c >@@ -0,0 +1,76 @@ >+/* >+ Fuzz NMB parse_packet >+ Copyright (C) Catalyst IT 2020 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include "source3/include/includes.h" >+#include "libsmb/libsmb.h" >+#include "util/bytearray.h" >+#include "fuzzing/fuzzing.h" >+//#include "util/substitute.h" >+ >+ >+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) >+{ >+ TALLOC_CTX *mem_ctx = NULL; >+ char *result = NULL; >+ char s[65536]; >+ char pattern[65536]; >+ char insert[65536]; >+ size_t pattern_len, insert_len; >+ uint8_t flags; >+ >+ if (len < 5) { >+ return 0; >+ } >+ pattern_len = PULL_LE_U16(input, 0); >+ insert_len = PULL_LE_U16(input, 2); >+ flags = input[4]; >+ input += 5; >+ len -= 5; >+ if (pattern_len + insert_len > len) { >+ return 0; >+ } >+ >+ len -= (pattern_len + insert_len); >+ if (len >= sizeof(s)) { >+ return 0; >+ } >+ memcpy(pattern, input, pattern_len); >+ pattern[pattern_len] = '\0'; >+ input += pattern_len; >+ >+ memcpy(insert, input, insert_len); >+ insert[insert_len] = '\0'; >+ input += insert_len; >+ >+ memcpy(s, input, len); >+ s[len] = '\0'; >+ mem_ctx = talloc_new(NULL); >+ result = talloc_string_sub2(mem_ctx, s, pattern, insert, >+ flags & 1, >+ flags & 2, >+ flags & 4); >+ talloc_free(mem_ctx); >+ >+ return 0; >+} >+ >+ >+int LLVMFuzzerInitialize(int *argc, char ***argv) >+{ >+ return 0; >+} >diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build >index 7b74d2853f5..c026e9d8395 100644 >--- a/lib/fuzzing/wscript_build >+++ b/lib/fuzzing/wscript_build >@@ -140,6 +140,21 @@ bld.SAMBA_BINARY('fuzz_string_sub_talloc', > deps='fuzzing afl-fuzz-main charset samba-util-core', > fuzzer=True) > >+bld.SAMBA_BINARY('fuzz_talloc_string_sub', >+ source='fuzz_talloc_string_sub.c', >+ deps='fuzzing afl-fuzz-main samba3-util', >+ fuzzer=True) >+ >+bld.SAMBA_BINARY('fuzz_talloc_all_string_sub', >+ source='fuzz_talloc_all_string_sub.c', >+ deps='fuzzing afl-fuzz-main samba3-util', >+ fuzzer=True) >+ >+bld.SAMBA_BINARY('fuzz_talloc_string_sub2', >+ source='fuzz_talloc_string_sub2.c', >+ deps='fuzzing afl-fuzz-main samba3-util', >+ fuzzer=True) >+ > bld.SAMBA_BINARY('fuzz_string_sub', > source='fuzz_string_sub.c', > deps='fuzzing afl-fuzz-main charset samba-util-core', >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16580">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14684
: 16580 |
16581
|
16582
|
16583
|
16584
|
16585
|
16586
|
16655
|
16656