From aa5a2a6fe8ad0f8f43e19d315bc267e7bea6592c Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 13 Mar 2020 19:07:02 +0100
Subject: [PATCH] Add a fuzzing target for the Proxy Protocol v2 parser

---
 fuzzing/README.md                             |   5 ++-
 .../proxy-protocol-local-header               | Bin 0 -> 52 bytes
 .../proxy-protocol-v4-with-tlvs               | Bin 0 -> 97 bytes
 pdns/Makefile.am                              |  11 +++++
 pdns/fuzz_proxyprotocol.cc                    |  42 ++++++++++++++++++
 5 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 fuzzing/corpus/proxy-protocol-raw-packets/proxy-protocol-local-header
 create mode 100644 fuzzing/corpus/proxy-protocol-raw-packets/proxy-protocol-v4-with-tlvs
 create mode 100644 pdns/fuzz_proxyprotocol.cc

diff --git a/fuzzing/README.md b/fuzzing/README.md
index c42c5c12f1..055c448830 100644
--- a/fuzzing/README.md
+++ b/fuzzing/README.md
@@ -12,6 +12,7 @@ The current targets cover:
 - the auth, dnsdist and rec packet caches (fuzz_target_packetcache and
   fuzz_target_dnsdistcache) ;
 - MOADNSParser (fuzz_target_moadnsparser) ;
+- the Proxy Protocol parser (fuzz_target_proxyprotocol) ;
 - ZoneParserTNG (fuzz_target_zoneparsertng).
 
 By default the targets are linked against a standalone target,
@@ -38,7 +39,9 @@ Corpus
 This directory contains a few files used for continuous fuzzing
 of the PowerDNS products.
 
-The 'corpus' directory contains two sub-directories:
+The 'corpus' directory contains three sub-directories:
+- proxy-protocol-raw-packets/ contains DNS queries prefixed with a Proxy
+  Protocol v2 header, used by fuzz_target_proxyprotocol ;
 - raw-dns-packets/ contains DNS queries and responses as captured on
   the wire. These are used by the fuzz_target_dnsdistcache,
   fuzz_target_moadnsparser and fuzz_target_packetcache targets ;
diff --git a/fuzzing/corpus/proxy-protocol-raw-packets/proxy-protocol-local-header b/fuzzing/corpus/proxy-protocol-raw-packets/proxy-protocol-local-header
new file mode 100644
index 0000000000000000000000000000000000000000..f2f8264e12924e26f00ac7b281d8d029abb33dce
GIT binary patch
literal 52
zc-rIT;^kuC<q8b-4B=8>U|<lkVq{<dA`oCq<SEL}FVQVdEh<YbDrU}0Edj|f0sysa
B2(|zK

literal 0
Hc-jL100001

diff --git a/fuzzing/corpus/proxy-protocol-raw-packets/proxy-protocol-v4-with-tlvs b/fuzzing/corpus/proxy-protocol-raw-packets/proxy-protocol-v4-with-tlvs
new file mode 100644
index 0000000000000000000000000000000000000000..250bed293657483911a59a85aa86d627e843c9c2
GIT binary patch
literal 97
zc-rIT;^kuC<q8b-4B=7~Vvwk3U|<B{&K2^dS`5rdiA4+y%xU@gKp_PNMg|aIWG*i+
p=P1Z8Pc2HxD`rm4&t+hc0m*3!faMu@7`PZX-s&HW&A-2+9{?aJ64n3!

literal 0
Hc-jL100001

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 64d3ad8fad..524110a07b 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1423,6 +1423,7 @@ fuzz_targets_programs =  \
 	fuzz_target_dnsdistcache \
 	fuzz_target_moadnsparser \
 	fuzz_target_packetcache \
+	fuzz_target_proxyprotocol \
 	fuzz_target_zoneparsertng
 
 fuzz_targets: $(fuzz_targets_programs)
@@ -1479,6 +1480,16 @@ fuzz_target_packetcache_DEPENDENCIES = $(fuzz_targets_deps)
 fuzz_target_packetcache_LDFLAGS = $(fuzz_targets_ldflags)
 fuzz_target_packetcache_LDADD = $(fuzz_targets_libs)
 
+fuzz_target_proxyprotocol_SOURCES = \
+	fuzz_proxyprotocol.cc \
+	iputils.hh \
+	proxy-protocol.cc \
+	proxy-protocol.hh
+
+fuzz_target_proxyprotocol_DEPENDENCIES = $(fuzz_targets_deps)
+fuzz_target_proxyprotocol_LDFLAGS = $(fuzz_targets_ldflags)
+fuzz_target_proxyprotocol_LDADD = $(fuzz_targets_libs)
+
 fuzz_target_dnsdistcache_SOURCES = \
 	fuzz_dnsdistcache.cc \
 	dnsdist-cache.cc dnsdist-cache.hh \
diff --git a/pdns/fuzz_proxyprotocol.cc b/pdns/fuzz_proxyprotocol.cc
new file mode 100644
index 0000000000..d138d6faac
--- /dev/null
+++ b/pdns/fuzz_proxyprotocol.cc
@@ -0,0 +1,42 @@
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "proxy-protocol.hh"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+
+  std::vector<ProxyProtocolValue> values;
+  ComboAddress source;
+  ComboAddress destination;
+  bool proxy = false;
+  bool tcp = false;  
+
+  try {
+    parseProxyHeader(std::string(reinterpret_cast<const char*>(data), size), proxy, source, destination, tcp, values);
+  }
+  catch(const std::exception& e) {
+  }
+  catch(const PDNSException& e) {
+  }
+
+  return 0;
+}
-- 
2.47.2