From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 1 Feb 2022 13:11:41 +0000 (+0000)
Subject: tests: fuzz client_send_message
X-Git-Tag: v251-rc1~368
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=697bb76589531c8361c118326fa7127548d3ab3d;p=thirdparty%2Fsystemd.git

tests: fuzz client_send_message

to make sure outgoing packets based on incoming packets are fine.
It's just another follow-up to
https://github.com/systemd/systemd/pull/10200.
Better late than never :-)
---

diff --git a/src/libsystemd-network/fuzz-dhcp6-client-send.c b/src/libsystemd-network/fuzz-dhcp6-client-send.c
new file mode 100644
index 00000000000..48401410f61
--- /dev/null
+++ b/src/libsystemd-network/fuzz-dhcp6-client-send.c
@@ -0,0 +1,59 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "fuzz.h"
+
+#include "sd-dhcp6-client.c"
+
+int dhcp6_network_send_udp_socket(int s, struct in6_addr *server_address,
+                                  const void *packet, size_t len) {
+        return len;
+}
+
+int dhcp6_network_bind_udp_socket(int index, struct in6_addr *local_address) {
+        int fd;
+
+        fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0);
+        assert_se(fd >= 0);
+
+        return fd;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
+        _cleanup_(sd_dhcp6_client_unrefp) sd_dhcp6_client *client = NULL;
+        struct in6_addr address = { { { 0xfe, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x01 } } };
+        triple_timestamp t = {};
+        usec_t time_now;
+        int r;
+
+        if (size < sizeof(DHCP6Message))
+                return 0;
+
+        assert_se(sd_event_new(&e) >= 0);
+        assert_se(sd_dhcp6_client_new(&client) >= 0);
+        assert_se(sd_dhcp6_client_attach_event(client, e, 0) >= 0);
+        assert_se(sd_dhcp6_client_set_ifindex(client, 42) == 0);
+        assert_se(sd_dhcp6_client_set_fqdn(client, "example.com") == 1);
+        assert_se(sd_dhcp6_client_set_request_mud_url(client, "https://www.example.com/mudfile.json") >= 0);
+        assert_se(sd_dhcp6_client_set_request_user_class(client, STRV_MAKE("u1", "u2", "u3")) >= 0);
+        assert_se(sd_dhcp6_client_set_request_vendor_class(client, STRV_MAKE("v1", "v2", "v3")) >= 0);
+        assert_se(sd_dhcp6_client_set_local_address(client, &address) >= 0);
+        assert_se(sd_dhcp6_client_set_information_request(client, false) == 0);
+        dhcp6_client_set_test_mode(client, true);
+        assert_se(sd_dhcp6_client_start(client) >= 0);
+        assert_se(sd_dhcp6_client_set_transaction_id(client, htobe32(0x00ffffff) & ((const DHCP6Message *) data)->transaction_id) == 0);
+
+        triple_timestamp_get(&t);
+        if (client_receive_advertise(client, (DHCP6Message *) data, size, &t, NULL) != DHCP6_STATE_REQUEST)
+                goto cleanup;
+
+        r = sd_event_now(client->event, clock_boottime_or_monotonic(), &time_now);
+        if (r < 0)
+                goto cleanup;
+
+        client->state = DHCP6_STATE_REQUEST;
+        (void) client_send_message(client, time_now);
+cleanup:
+        assert_se(sd_dhcp6_client_stop(client) >= 0);
+        return 0;
+}
diff --git a/src/libsystemd-network/meson.build b/src/libsystemd-network/meson.build
index 853401d5be8..a44e8c0824e 100644
--- a/src/libsystemd-network/meson.build
+++ b/src/libsystemd-network/meson.build
@@ -113,6 +113,10 @@ fuzzers += [
          [libshared,
           libsystemd_network]],
 
+        [files('fuzz-dhcp6-client-send.c'),
+         [libshared,
+          libsystemd_network]],
+
         [files('fuzz-dhcp-server.c'),
          [libsystemd_network,
           libshared]],
diff --git a/test/fuzz/fuzz-dhcp6-client-send/12ad30d317800d7f731c1c8bc0854e531d5ef928 b/test/fuzz/fuzz-dhcp6-client-send/12ad30d317800d7f731c1c8bc0854e531d5ef928
new file mode 100644
index 00000000000..c140fc02121
Binary files /dev/null and b/test/fuzz/fuzz-dhcp6-client-send/12ad30d317800d7f731c1c8bc0854e531d5ef928 differ
diff --git a/test/fuzz/fuzz-dhcp6-client-send/crash-a93b8ba024ada36014c29c25cc90c668fd91ce7f b/test/fuzz/fuzz-dhcp6-client-send/crash-a93b8ba024ada36014c29c25cc90c668fd91ce7f
new file mode 100644
index 00000000000..2bf4027c0c7
Binary files /dev/null and b/test/fuzz/fuzz-dhcp6-client-send/crash-a93b8ba024ada36014c29c25cc90c668fd91ce7f differ
diff --git a/test/fuzz/fuzz-dhcp6-client-send/f202c4dff34d15e41c032a66ed25d89154be1f6d b/test/fuzz/fuzz-dhcp6-client-send/f202c4dff34d15e41c032a66ed25d89154be1f6d
new file mode 100644
index 00000000000..9d8994dec4f
Binary files /dev/null and b/test/fuzz/fuzz-dhcp6-client-send/f202c4dff34d15e41c032a66ed25d89154be1f6d differ