dns_rdata_fromwire_text fixes:

* Disallow compression pointers in names as we are not
  reading from a packet and as a result length checks fail.
* Increase totext buffer size as fuzzer ran out of space on
  big bitmaps.
* NUL terminate totext to make fault diagnosis easier.
* Add debugging messages to make fault diagnosie easier.

diff --git a/fuzz/dns_rdata_fromwire_text.c b/fuzz/dns_rdata_fromwire_text.c
index 20db8058d368eede40522c855374d545c800f6a5..a71ba5ef37caf12433220d0f25d1087b66b5464d 100644 (file)
--- a/fuzz/dns_rdata_fromwire_text.c
+++ b/fuzz/dns_rdata_fromwire_text.c
@@ -59,13 +59,21 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)),
 
 static void
 nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
+       va_list args;
+
        UNUSED(cb);
-       UNUSED(fmt);
+
+       if (debug) {
+               va_start(args, fmt);
+               vfprintf(stderr, fmt, args);
+               fprintf(stderr, "\n");
+               va_end(args);
+       }
 }
 
 int
 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-       char totext[1024];
+       char totext[64 * 1044 * 4];
        dns_compress_t cctx;
        dns_decompress_t dctx;
        dns_rdatatype_t rdtype;
@@ -113,10 +121,15 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        rdclass = classlist[(*data++) % classes];
        size--;
 
+       if (debug) {
+               fprintf(stderr, "type=%u, class=%u\n", rdtype, rdclass);
+       }
+
        dns_rdatacallbacks_init(&callbacks);
        callbacks.warn = callbacks.error = nullmsg;
 
-       dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+       /* Disallow decompression as we are reading a packet */
+       dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
 
        isc_buffer_constinit(&source, data, size);
        isc_buffer_add(&source, size);
@@ -129,14 +142,20 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         */
        CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, 0,
                                 &target));
+       assert(rdata1.length == size);
 
        /*
         * Convert to text from wire.
         */
-       isc_buffer_init(&target, totext, sizeof(totext));
+       isc_buffer_init(&target, totext, sizeof(totext) - 1);
        result = dns_rdata_totext(&rdata1, NULL, &target);
        assert(result == ISC_R_SUCCESS);
 
+       /*
+        * Make debugging easier by NUL terminating.
+        */
+       totext[isc_buffer_usedlength(&target)] = 0;
+
        /*
         * Convert to wire from text.
         */

diff --git a/fuzz/fuzz.h b/fuzz/fuzz.h
index a3f4ae8388c473296a9929ccfb19a0d65d789e19..c206528de6a4bcef9893138c75c5a91c85c9856d 100644 (file)
--- a/fuzz/fuzz.h
+++ b/fuzz/fuzz.h
@@ -23,6 +23,8 @@
 
 ISC_LANG_BEGINDECLS
 
+extern bool debug;
+
 int
 LLVMFuzzerInitialize(int *argc __attribute__((unused)),
                     char ***argv __attribute__((unused)));

diff --git a/fuzz/main.c b/fuzz/main.c
index d1ae9492df69d9253f62c195290c4d942d5784b5..85a9031a0f7d28e1888018e342177f14224666e5 100644 (file)
--- a/fuzz/main.c
+++ b/fuzz/main.c
@@ -24,6 +24,8 @@
 
 #include <dirent.h>
 
+bool debug = false;
+
 static void
 test_all_from(const char *dirname) {
        DIR *dirp;
@@ -98,6 +100,10 @@ main(int argc, char **argv) {
        UNUSED(argc);
        UNUSED(argv);
 
+       if (argc != 1) {
+               debug = true;
+       }
+
        target = (target != NULL) ? target + 1 : argv[0];
        if (strncmp(target, "lt-", 3) == 0) {
                target += 3;