Merge pull request #10190 from evverx/fuzz-ndisc-rs
Add a fuzzer for sd-ndisc and a reproducer for an infinite loop in ndisc_handle_datagram
This commit is contained in:
commit
83043e8dc8
|
@ -0,0 +1,57 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1+ */
|
||||
|
||||
#include <netinet/icmp6.h>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "icmp6-util.h"
|
||||
#include "fuzz.h"
|
||||
#include "sd-ndisc.h"
|
||||
#include "socket-util.h"
|
||||
#include "ndisc-internal.h"
|
||||
|
||||
static int test_fd[2];
|
||||
|
||||
int icmp6_bind_router_solicitation(int index) {
|
||||
assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, test_fd) >= 0);
|
||||
return test_fd[0];
|
||||
}
|
||||
|
||||
int icmp6_bind_router_advertisement(int index) {
|
||||
return -ENOSYS;
|
||||
}
|
||||
|
||||
int icmp6_receive(int fd, void *iov_base, size_t iov_len,
|
||||
struct in6_addr *dst, triple_timestamp *timestamp) {
|
||||
assert_se(read(fd, iov_base, iov_len) == (ssize_t) iov_len);
|
||||
|
||||
if (timestamp)
|
||||
triple_timestamp_get(timestamp);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int icmp6_send_router_solicitation(int s, const struct ether_addr *ether_addr) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||
struct ether_addr mac_addr = {
|
||||
.ether_addr_octet = {'A', 'B', 'C', '1', '2', '3'}
|
||||
};
|
||||
_cleanup_(sd_event_unrefp) sd_event *e = NULL;
|
||||
_cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL;
|
||||
|
||||
assert_se(sd_event_new(&e) >= 0);
|
||||
assert_se(sd_ndisc_new(&nd) >= 0);
|
||||
assert_se(sd_ndisc_attach_event(nd, e, 0) >= 0);
|
||||
assert_se(sd_ndisc_set_ifindex(nd, 42) >= 0);
|
||||
assert_se(sd_ndisc_set_mac(nd, &mac_addr) >= 0);
|
||||
assert_se(sd_ndisc_start(nd) >= 0);
|
||||
assert_se(write(test_fd[1], data, size) == (ssize_t) size);
|
||||
(void) sd_event_run(e, (uint64_t) -1);
|
||||
assert_se(sd_ndisc_stop(nd) >= 0);
|
||||
close(test_fd[1]);
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -14,6 +14,16 @@ fuzzers += [
|
|||
libshared],
|
||||
[]],
|
||||
|
||||
[['src/fuzz/fuzz-ndisc-rs.c',
|
||||
'src/libsystemd-network/dhcp-identifier.h',
|
||||
'src/libsystemd-network/dhcp-identifier.c',
|
||||
'src/libsystemd-network/icmp6-util.h',
|
||||
'src/systemd/sd-dhcp6-client.h',
|
||||
'src/systemd/sd-ndisc.h'],
|
||||
[libshared,
|
||||
libsystemd_network],
|
||||
[]],
|
||||
|
||||
[['src/fuzz/fuzz-unit-file.c'],
|
||||
[libcore,
|
||||
libshared],
|
||||
|
|
|
@ -168,7 +168,7 @@ int ndisc_router_parse(sd_ndisc_router *rt) {
|
|||
|
||||
if (has_mtu) {
|
||||
log_ndisc("MTU option specified twice, ignoring.");
|
||||
continue;
|
||||
break;
|
||||
}
|
||||
|
||||
if (length != 8) {
|
||||
|
@ -209,7 +209,7 @@ int ndisc_router_parse(sd_ndisc_router *rt) {
|
|||
|
||||
if (has_flag_extension) {
|
||||
log_ndisc("Flags extension option specified twice, ignoring.");
|
||||
continue;
|
||||
break;
|
||||
}
|
||||
|
||||
if (length < 1*8) {
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -22,6 +22,8 @@ fuzz_regression_tests = '''
|
|||
fuzz-journald-syslog/github-9820
|
||||
fuzz-journald-syslog/github-9827
|
||||
fuzz-journald-syslog/github-9829
|
||||
fuzz-ndisc-rs/timeout-2815b773c712fa33bea62f541dfa3017c64ea2f1
|
||||
fuzz-ndisc-rs/timeout-61fff7fd1e5dcc07e1b656baab29065ce634ad5b
|
||||
fuzz-unit-file/oss-fuzz-6884
|
||||
fuzz-unit-file/oss-fuzz-6885
|
||||
fuzz-unit-file/oss-fuzz-6886
|
||||
|
|
Loading…
Reference in New Issue