Attachment 17283 Details for Bug 14600 – tldap push fuzzer with a parsing fix

[patch] tldap push fuzzer with a parsing fix

fuzz_tldap_push_filter.patch (text/plain), 4.88 KB, created by Douglas Bagnall on 2022-05-12 03:48:27 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Douglas Bagnall

Created: 2022-05-12 03:48:27 UTC

Size: 4.88 KB

patch

obsolete

>From b7cff10398fe3a7c41033f0d872046cc442e0e66 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Sun, 20 Dec 2020 12:17:56 +1300
>Subject: [PATCH 1/2] tldap: avoid infinite loop when filter contains "\)"
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> source3/lib/tldap.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
>index e008b04e5e6..082a3e0b481 100644
>--- a/source3/lib/tldap.c
>+++ b/source3/lib/tldap.c
>@@ -1238,6 +1238,7 @@ static char *tldap_get_val(TALLOC_CTX *memctx,
> 	while (*s) {
> 		s = strchr(s, ')');
> 		if (s && (*(s - 1) == '\\')) {
>+			s++;
> 			continue;
> 		}
> 		break;
>-- 
>2.25.1
>
>
>From df80961306d44f0330a950a253567c46dbcfc916 Mon Sep 17 00:00:00 2001
>From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>Date: Thu, 26 Nov 2020 16:04:15 +1300
>Subject: [PATCH 2/2] fuzz: fuzz tldap_push_filter()
>
>Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> lib/fuzzing/fuzz_tldap_push_filter.c | 79 ++++++++++++++++++++++++++++
> lib/fuzzing/wscript_build            |  9 ++++
> source3/lib/tldap.c                  | 10 ++++
> 3 files changed, 98 insertions(+)
> create mode 100644 lib/fuzzing/fuzz_tldap_push_filter.c
>
>diff --git a/lib/fuzzing/fuzz_tldap_push_filter.c b/lib/fuzzing/fuzz_tldap_push_filter.c
>new file mode 100644
>index 00000000000..e6cba3f8755
>--- /dev/null
>+++ b/lib/fuzzing/fuzz_tldap_push_filter.c
>@@ -0,0 +1,79 @@
>+/*
>+  Fuzz NMB parse_packet
>+  Copyright (C) Catalyst IT 2020
>+
>+  This program is free software; you can redistribute it and/or modify
>+  it under the terms of the GNU General Public License as published by
>+  the Free Software Foundation; either version 3 of the License, or
>+  (at your option) any later version.
>+
>+  This program is distributed in the hope that it will be useful,
>+  but WITHOUT ANY WARRANTY; without even the implied warranty of
>+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>+  GNU General Public License for more details.
>+
>+  You should have received a copy of the GNU General Public License
>+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
>+*/
>+
>+#include "replace.h"
>+#include "includes.h"
>+#include "fuzzing/fuzzing.h"
>+#include "libcli/security/security.h"
>+#include "lib/util/asn1.h"
>+#include "tldap.h"
>+#include "tldap_gensec_bind.h"
>+#include <sys/types.h>
>+#include <sys/stat.h>
>+#include <fcntl.h>
>+
>+/*
>+ * This function is defined in source3/lib/tldap.c, guarded by
>+ *
>+ * #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
>+ *
>+ * It wraps the static tldap_push_filter().
>+ */
>+
>+extern bool tldap_push_filter_fuzz(struct tldap_context *ld,
>+				   struct asn1_data *data,
>+				   const char *filter);
>+
>+
>+
>+#define MAX_LENGTH (1024 * 100)
>+char buf[MAX_LENGTH + 1];
>+
>+
>+int dummy_fd;
>+
>+int LLVMFuzzerInitialize(int *argc, char ***argv)
>+{
>+	dummy_fd = open("/dev/null", O_RDWR);
>+	return 0;
>+}
>+
>+
>+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
>+{
>+	TALLOC_CTX *mem_ctx = NULL;
>+	struct asn1_data *asn1 = NULL;
>+	struct tldap_context *ld;
>+
>+	if (len > MAX_LENGTH) {
>+		return 0;
>+	}
>+
>+	mem_ctx = talloc_stackframe();
>+	asn1 = asn1_init(mem_ctx, ASN1_MAX_TREE_DEPTH);
>+	ld = tldap_context_create(mem_ctx, dummy_fd);
>+	if (ld == NULL) {
>+		abort();
>+	}
>+	memcpy(buf, input, len);
>+	buf[len]  = '\0';
>+
>+	tldap_push_filter_fuzz(ld, asn1, buf);
>+	talloc_free(mem_ctx);
>+	return 0;
>+}
>diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
>index 9bfb049e5c0..440fb14009b 100644
>--- a/lib/fuzzing/wscript_build
>+++ b/lib/fuzzing/wscript_build
>@@ -87,6 +87,15 @@ bld.SAMBA_BINARY('fuzz_cli_credentials_parse_string',
>                  deps='fuzzing samba-credentials afl-fuzz-main',
>                  fuzzer=True)
> 
>+bld.SAMBA_BINARY('fuzz_tldap_push_filter',
>+                 source='fuzz_tldap_push_filter.c',
>+                 deps='''fuzzing TLDAP afl-fuzz-main
>+                      talloc
>+                      smbconf
>+                      libsmb
>+                      LOCKING
>+                         ''',
>+                 fuzzer=True)
> # The fuzz_type and fuzz_function parameters make the built
> # fuzzer take the same input as ndrdump and so the same that
> # could be sent to the client or server as the stub data.
>diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
>index 082a3e0b481..8dbea0eaf53 100644
>--- a/source3/lib/tldap.c
>+++ b/source3/lib/tldap.c
>@@ -1797,6 +1797,16 @@ static bool tldap_push_filter(struct tldap_context *ld,
> 	return ret;
> }
> 
>+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
>+/* In fuzzing mode we poke a hole in the API for a simple fuzz target. */
>+bool tldap_push_filter_fuzz(struct tldap_context *ld,
>+			    struct asn1_data *data,
>+			    const char *filter)
>+{
>+	return tldap_push_filter(ld, data, filter);
>+}
>+#endif
>+
> /*****************************************************************************/
> 
> static void tldap_search_done(struct tevent_req *subreq);
>-- 
>2.25.1
>

Actions: View

Attachments on bug 14600: 16370 | 16371 | 17283