[thirdparty/pdns.git] / fuzzing / README.md

Fuzzing the PowerDNS products
-----------------------------

This repository contains several fuzzing targets that can be used with generic
fuzzing engines like AFL and libFuzzer.

These targets are built by passing the --enable-fuzz-targets option to the
configure, then building as usual. You can also build only these targets
by going into the pdns/ directory and issuing a 'make fuzz_targets' command.

The current targets cover:
- the auth, dnsdist and rec packet caches (fuzz_target_packetcache and
  fuzz_target_dnsdistcache) ;
- MOADNSParser (fuzz_target_moadnsparser) ;
- the Proxy Protocol parser (fuzz_target_proxyprotocol) ;
- ZoneParserTNG (fuzz_target_zoneparsertng).

By default the targets are linked against a standalone target,
pdns/standalone_fuzz_target_runner.cc, which does no fuzzing but makes it easy
to check a given test file, or just that the fuzzing targets can be built properly.

This behaviour can be changed via the LIB_FUZZING_ENGINE variable, for example
by setting it to -lFuzzer, building with clang by setting CC=clang CXX=clang++
before running the configure and adding '-fsanitize=fuzzer-no-link' to CFLAGS
and CXXFLAGS. Doing so instructs the compiler to instrument the code for
efficient fuzzing but not to link directly with -lFuzzer, which would make
the compilation tests done during the configure phase fail.

Sanitizers
----------

In order to catch the maximum of issues during fuzzing, it makes sense to
enable the ASAN and UBSAN sanitizers via --enable-asan and --enable-ubsan
options to the configure, or to set the appropriate flags directly.

Corpus
------

This directory contains a few files used for continuous fuzzing
of the PowerDNS products.

The 'corpus' directory contains three sub-directories:
- proxy-protocol-raw-packets/ contains DNS queries prefixed with a Proxy
  Protocol v2 header, used by fuzz_target_proxyprotocol ;
- raw-dns-packets/ contains DNS queries and responses as captured on
  the wire. These are used by the fuzz_target_dnsdistcache,
  fuzz_target_moadnsparser and fuzz_target_packetcache targets ;
- zones/ contains DNS zones, used by the fuzz_target_zoneparsertng
  target.

When run in the OSS-Fuzz environment, the zone files from the
regression-tests/zones/ directory are added to the ones present
in the fuzzing/corpus/zones/ directory.
Commit	Line	Data
164ccdcd RG	1	Fuzzing the PowerDNS products
	2	-----------------------------
	3
	4	This repository contains several fuzzing targets that can be used with generic
	5	fuzzing engines like AFL and libFuzzer.
	6
	7	These targets are built by passing the --enable-fuzz-targets option to the
	8	configure, then building as usual. You can also build only these targets
	9	by going into the pdns/ directory and issuing a 'make fuzz_targets' command.
	10
	11	The current targets cover:
	12	- the auth, dnsdist and rec packet caches (fuzz_target_packetcache and
	13	fuzz_target_dnsdistcache) ;
	14	- MOADNSParser (fuzz_target_moadnsparser) ;
aa5a2a6f	15	- the Proxy Protocol parser (fuzz_target_proxyprotocol) ;
164ccdcd RG	16	- ZoneParserTNG (fuzz_target_zoneparsertng).
	17
	18	By default the targets are linked against a standalone target,
	19	pdns/standalone_fuzz_target_runner.cc, which does no fuzzing but makes it easy
	20	to check a given test file, or just that the fuzzing targets can be built properly.
	21
	22	This behaviour can be changed via the LIB_FUZZING_ENGINE variable, for example
	23	by setting it to -lFuzzer, building with clang by setting CC=clang CXX=clang++
	24	before running the configure and adding '-fsanitize=fuzzer-no-link' to CFLAGS
	25	and CXXFLAGS. Doing so instructs the compiler to instrument the code for
	26	efficient fuzzing but not to link directly with -lFuzzer, which would make
	27	the compilation tests done during the configure phase fail.
	28
	29	Sanitizers
	30	----------
	31
44e0b9d2	32	In order to catch the maximum of issues during fuzzing, it makes sense to
164ccdcd RG	33	enable the ASAN and UBSAN sanitizers via --enable-asan and --enable-ubsan
	34	options to the configure, or to set the appropriate flags directly.
	35
	36	Corpus
	37	------
	38
	39	This directory contains a few files used for continuous fuzzing
	40	of the PowerDNS products.
	41
aa5a2a6f RG	42	The 'corpus' directory contains three sub-directories:
	43	- proxy-protocol-raw-packets/ contains DNS queries prefixed with a Proxy
	44	Protocol v2 header, used by fuzz_target_proxyprotocol ;
164ccdcd RG	45	- raw-dns-packets/ contains DNS queries and responses as captured on
	46	the wire. These are used by the fuzz_target_dnsdistcache,
	47	fuzz_target_moadnsparser and fuzz_target_packetcache targets ;
	48	- zones/ contains DNS zones, used by the fuzz_target_zoneparsertng
	49	target.
	50
	51	When run in the OSS-Fuzz environment, the zone files from the
	52	regression-tests/zones/ directory are added to the ones present
	53	in the fuzzing/corpus/zones/ directory.