fuzz: add DHCP server fuzzer
This commit is contained in:
parent
09f5dfad2c
commit
2bd37c5be2
|
@ -43,7 +43,11 @@ fi
|
|||
meson $build -D$fuzzflag -Db_lundef=false
|
||||
ninja -C $build fuzzers
|
||||
|
||||
# get DNS packet corpus
|
||||
for d in "$(dirname "$0")/../test/fuzz-corpus/"*; do
|
||||
zip -jqr $OUT/fuzz-$(basename "$d")_seed_corpus.zip "$d"
|
||||
done
|
||||
|
||||
# get fuzz-dns-packet corpus
|
||||
df=$build/dns-fuzzing
|
||||
git clone --depth 1 https://github.com/CZ-NIC/dns-fuzzing $df
|
||||
zip -jqr $OUT/fuzz-dns-packet_seed_corpus.zip $df/packet
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1+ */
|
||||
/***
|
||||
Copyright 2018 Jonathan Rudenberg
|
||||
|
||||
systemd is free software; you can redistribute it and/or modify it
|
||||
under the terms of the GNU Lesser General Public License as published by
|
||||
the Free Software Foundation; either version 2.1 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
systemd is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public License
|
||||
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
***/
|
||||
|
||||
#include "fuzz.h"
|
||||
|
||||
#include "sd-dhcp-server.c"
|
||||
|
||||
/* stub out network so that the server doesn't send */
|
||||
ssize_t sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen) {
|
||||
return len;
|
||||
}
|
||||
|
||||
ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||
_cleanup_(sd_dhcp_server_unrefp) sd_dhcp_server *server = NULL;
|
||||
struct in_addr address = {.s_addr = htobe32(UINT32_C(10) << 24 | UINT32_C(1))};
|
||||
static const uint8_t chaddr[] = {3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3};
|
||||
uint8_t *client_id;
|
||||
DHCPLease *lease;
|
||||
int pool_offset;
|
||||
|
||||
if (size < sizeof(DHCPMessage))
|
||||
return 0;
|
||||
|
||||
assert_se(sd_dhcp_server_new(&server, 1) >= 0);
|
||||
server->fd = open("/dev/null", O_RDWR|O_CLOEXEC|O_NOCTTY);
|
||||
assert_se(server->fd >= 0);
|
||||
assert_se(sd_dhcp_server_configure_pool(server, &address, 24, 0, 0) >= 0);
|
||||
|
||||
/* add a lease to the pool to expose additional code paths */
|
||||
client_id = malloc(2);
|
||||
assert_se(client_id);
|
||||
client_id[0] = 2;
|
||||
client_id[1] = 2;
|
||||
lease = new0(DHCPLease, 1);
|
||||
assert_se(lease);
|
||||
lease->client_id.length = 2;
|
||||
lease->client_id.data = client_id;
|
||||
lease->address = htobe32(UINT32_C(10) << 24 | UINT32_C(2));
|
||||
lease->gateway = htobe32(UINT32_C(10) << 24 | UINT32_C(1));
|
||||
lease->expiration = UINT64_MAX;
|
||||
memcpy(lease->chaddr, chaddr, 16);
|
||||
pool_offset = get_pool_offset(server, lease->address);
|
||||
server->bound_leases[pool_offset] = lease;
|
||||
assert_se(hashmap_put(server->leases_by_client_id, &lease->client_id, lease) >= 0);
|
||||
|
||||
dhcp_server_handle_message(server, (DHCPMessage*)data, size);
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
[libfuzzer]
|
||||
max_len = 600
|
|
@ -22,4 +22,9 @@ fuzzers += [
|
|||
[libgcrypt,
|
||||
libgpg_error,
|
||||
libm]],
|
||||
[['src/fuzz/fuzz-dhcp-server.c',
|
||||
],
|
||||
[libsystemd_network,
|
||||
libshared],
|
||||
[]]
|
||||
]
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue