From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 2 Dec 2024 19:30:46 +0000 (-0500)
Subject: add cbor to the fuzzer, and fix a few issues it found
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27c433d7ba4894a968405ed98f76e64750501d45;p=thirdparty%2Ffreeradius-server.git

add cbor to the fuzzer, and fix a few issues it found
---

diff --git a/src/bin/all.mk b/src/bin/all.mk
index 33227c0d8a7..88d00d5b965 100644
--- a/src/bin/all.mk
+++ b/src/bin/all.mk
@@ -25,7 +25,7 @@ SUBMAKEFILES := \
 #  The fuzzer binary needs special magic to run, as it doesn't parse
 #  command-line options.  See fuzzer.mk for details.
 #
-FUZZER_PROTOCOLS = radius dhcpv4 dhcpv6 dns tacacs vmps tftp util bfd
+FUZZER_PROTOCOLS = radius dhcpv4 dhcpv6 dns tacacs vmps tftp util bfd cbor
 
 #
 #  Add the fuzzer only if everything was built with the fuzzing flags.
diff --git a/src/lib/util/cbor.c b/src/lib/util/cbor.c
index cf3cff02023..b322f371558 100644
--- a/src/lib/util/cbor.c
+++ b/src/lib/util/cbor.c
@@ -1027,7 +1027,12 @@ ssize_t fr_cbor_decode_value_box(TALLOC_CTX *ctx, fr_value_box_t *vb, fr_dbuff_t
 			return -1;
 		}
 
-		fr_assert(info != 31);
+		if (info == 31) {
+		no_chunks:
+			fr_strerror_const("Chunked strings are not supported");
+			return 0;
+		}
+
 
 		/*
 		 *	@todo - undefinite length strings.  Which are really "chunked" strings.
@@ -1059,10 +1064,10 @@ ssize_t fr_cbor_decode_value_box(TALLOC_CTX *ctx, fr_value_box_t *vb, fr_dbuff_t
 	case CBOR_OCTETS:
 		if (type != FR_TYPE_OCTETS) goto mismatch;
 
-		fr_assert(info != 31);
+		if (info == 31) goto no_chunks;
 
 		/*
-		 *	@todo - undefinite length octet strings.  Which are really "chunked" octet strings.
+		 *	@todo - indefinite length octet strings.  Which are really "chunked" octet strings.
 		 */
 		slen = cbor_decode_integer(&value, info, &work_dbuff);
 		if (slen < 0) return_slen;
@@ -1590,7 +1595,8 @@ static fr_type_t cbor_guess_type(fr_dbuff_t *dbuff, bool pair)
 			return FR_TYPE_IPV4_ADDR;
 
 		case 54:
-			FR_DBUFF_OUT_RETURN(&major, &work_dbuff);
+			slen = fr_dbuff_out(&major, &work_dbuff);
+			if (slen <= 0) goto no_data;
 
 			major >>= 5;
 
@@ -1726,9 +1732,9 @@ ssize_t fr_cbor_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dbuff_t *db
 		break;
 
 	default:
-		talloc_free(vp);
 		fr_strerror_printf("Invalid data type %s for child %s of %s",
 				   fr_type_to_str(da->type), vp->da->name, parent->name);
+		talloc_free(vp);
 		return -1;
 	}