Merge pull request #10190 from evverx/fuzz-ndisc-rs

Add a fuzzer for sd-ndisc and a reproducer for an infinite loop in ndisc_handle_datagram

src/fuzz/fuzz-ndisc-rs.c

@@ -0,0 +1,57 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include <netinet/icmp6.h>
+#include <arpa/inet.h>
+
+#include "alloc-util.h"
+#include "icmp6-util.h"
+#include "fuzz.h"
+#include "sd-ndisc.h"
+#include "socket-util.h"
+#include "ndisc-internal.h"
+
+static int test_fd[2];
+
+int icmp6_bind_router_solicitation(int index) {
+        assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, test_fd) >= 0);
+        return test_fd[0];
+}
+
+int icmp6_bind_router_advertisement(int index) {
+        return -ENOSYS;
+}
+
+int icmp6_receive(int fd, void *iov_base, size_t iov_len,
+                  struct in6_addr *dst, triple_timestamp *timestamp) {
+        assert_se(read(fd, iov_base, iov_len) == (ssize_t) iov_len);
+
+        if (timestamp)
+                triple_timestamp_get(timestamp);
+
+        return 0;
+}
+
+int icmp6_send_router_solicitation(int s, const struct ether_addr *ether_addr) {
+        return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        struct ether_addr mac_addr = {
+                .ether_addr_octet = {'A', 'B', 'C', '1', '2', '3'}
+        };
+        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
+        _cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL;
+
+        assert_se(sd_event_new(&e) >= 0);
+        assert_se(sd_ndisc_new(&nd) >= 0);
+        assert_se(sd_ndisc_attach_event(nd, e, 0) >= 0);
+        assert_se(sd_ndisc_set_ifindex(nd, 42) >= 0);
+        assert_se(sd_ndisc_set_mac(nd, &mac_addr) >= 0);
+        assert_se(sd_ndisc_start(nd) >= 0);
+        assert_se(write(test_fd[1], data, size) == (ssize_t) size);
+        (void) sd_event_run(e, (uint64_t) -1);
+        assert_se(sd_ndisc_stop(nd) >= 0);
+        close(test_fd[1]);
+
+        return 0;
+}

src/fuzz/meson.build

@@ -14,6 +14,16 @@ fuzzers += [
           libshared],
          []],
 
+        [['src/fuzz/fuzz-ndisc-rs.c',
+          'src/libsystemd-network/dhcp-identifier.h',
+          'src/libsystemd-network/dhcp-identifier.c',
+          'src/libsystemd-network/icmp6-util.h',
+          'src/systemd/sd-dhcp6-client.h',
+          'src/systemd/sd-ndisc.h'],
+         [libshared,
+          libsystemd_network],
+         []],
+
         [['src/fuzz/fuzz-unit-file.c'],
          [libcore,
           libshared],

src/libsystemd-network/ndisc-router.c

@@ -168,7 +168,7 @@ int ndisc_router_parse(sd_ndisc_router *rt) {
 
                         if (has_mtu) {
                                 log_ndisc("MTU option specified twice, ignoring.");
-                                continue;
+                                break;
                         }
 
                         if (length != 8) {
@@ -209,7 +209,7 @@ int ndisc_router_parse(sd_ndisc_router *rt) {
 
                         if (has_flag_extension) {
                                 log_ndisc("Flags extension option specified twice, ignoring.");
-                                continue;
+                                break;
                         }
 
                         if (length < 1*8) {

test/fuzz-regressions/meson.build

@@ -22,6 +22,8 @@ fuzz_regression_tests = '''
         fuzz-journald-syslog/github-9820
         fuzz-journald-syslog/github-9827
         fuzz-journald-syslog/github-9829
+        fuzz-ndisc-rs/timeout-2815b773c712fa33bea62f541dfa3017c64ea2f1
+        fuzz-ndisc-rs/timeout-61fff7fd1e5dcc07e1b656baab29065ce634ad5b
         fuzz-unit-file/oss-fuzz-6884
         fuzz-unit-file/oss-fuzz-6885
         fuzz-unit-file/oss-fuzz-6886