From 81b89af43bf9b4037d61b5f18df3ffcbed693307 Mon Sep 17 00:00:00 2001 From: Guido Vranken Date: Fri, 11 Aug 2017 02:37:49 +0200 Subject: [PATCH] Fix bug in fuzzer-forward.c Instead of adding the same item over and over, allocate and fill a new struct client_nat_entry for each call to client_nat_add_entry(). --- src/openvpn/fuzzer-forward.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/openvpn/fuzzer-forward.c b/src/openvpn/fuzzer-forward.c index faad3c291..50e6793a7 100644 --- a/src/openvpn/fuzzer-forward.c +++ b/src/openvpn/fuzzer-forward.c @@ -14,7 +14,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { struct gc_arena gc; struct buffer buf; - struct client_nat_entry cne; + struct client_nat_entry* cne[MAX_CLIENT_NAT]; ssize_t num_loops, generic_ssizet; unsigned int generic_uint, flags; size_t n; @@ -25,6 +25,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) struct link_socket link_socket; struct link_socket_actual to_link_addr; + memset(cne, 0, sizeof(cne)); + fuzzer_set_input((unsigned char*)data, size); gc = gc_new(); memset(&buf, 0, sizeof(buf)); @@ -76,8 +78,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) FUZZER_GET_INTEGER(num_loops, MAX_CLIENT_NAT); for (n = 0; n < num_loops; n++) { - FUZZER_GET_DATA(&cne, sizeof(cne)); - client_nat_add_entry(ctx.options.client_nat, &cne); + struct client_nat_entry* _cne; + cne[n] = malloc(sizeof(struct client_nat_entry)); + _cne = cne[n]; + FUZZER_GET_DATA(_cne, sizeof(struct client_nat_entry)); + client_nat_add_entry(ctx.options.client_nat, _cne); } FUZZER_GET_INTEGER(generic_ssizet, 1); @@ -151,6 +156,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) process_incoming_tun(&ctx); cleanup: + for (n = 0; n < MAX_CLIENT_NAT; n++) { + free(cne[n]); + } free_buf(&buf); gc_free(&gc); -- 2.47.2