Fix bug in fuzzer-forward.c

Instead of adding the same item over and over,
allocate and fill a new struct client_nat_entry for each call
to client_nat_add_entry().

diff --git a/src/openvpn/fuzzer-forward.c b/src/openvpn/fuzzer-forward.c
index faad3c291ba3feb638e5343bc989b6cea20df531..50e6793a7c0c90190dd9d9e7fbc04ff46cc85295 100644 (file)
--- a/src/openvpn/fuzzer-forward.c
+++ b/src/openvpn/fuzzer-forward.c
@@ -14,7 +14,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
     struct gc_arena gc;
     struct buffer buf;
-    struct client_nat_entry cne;
+    struct client_nat_entry* cne[MAX_CLIENT_NAT];
     ssize_t num_loops, generic_ssizet;
     unsigned int generic_uint, flags;
     size_t n;
@@ -25,6 +25,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     struct link_socket link_socket;
     struct link_socket_actual to_link_addr;
 
+    memset(cne, 0, sizeof(cne));
+
     fuzzer_set_input((unsigned char*)data, size);
     gc = gc_new();
     memset(&buf, 0, sizeof(buf));
@@ -76,8 +78,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     FUZZER_GET_INTEGER(num_loops, MAX_CLIENT_NAT);
     for (n = 0; n < num_loops; n++) {
-        FUZZER_GET_DATA(&cne, sizeof(cne));
-        client_nat_add_entry(ctx.options.client_nat, &cne);
+        struct client_nat_entry* _cne;
+        cne[n] = malloc(sizeof(struct client_nat_entry));
+        _cne = cne[n];
+        FUZZER_GET_DATA(_cne, sizeof(struct client_nat_entry));
+        client_nat_add_entry(ctx.options.client_nat, _cne);
     }
 
     FUZZER_GET_INTEGER(generic_ssizet, 1);
@@ -151,6 +156,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 
     process_incoming_tun(&ctx);
 cleanup:
+    for (n = 0; n < MAX_CLIENT_NAT; n++) {
+        free(cne[n]);
+    }
     free_buf(&buf);
     gc_free(&gc);