From b28d06e05954f3c24361ffaf7ca704cb009e869b Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Wed, 26 Jan 2022 18:45:55 +0000
Subject: [PATCH] tests: fuzz dhcp_server_relay_message

It's a follow-up to https://github.com/systemd/systemd/pull/19384 where
dhcp_server_relay_message was introduced.

This PR was prompted by https://github.com/systemd/systemd/pull/22236#issuecomment-1020113269
for the most part.
---
 .../fuzz-dhcp-server-relay-message.c          |  46 ++++++++++++++++++
 src/libsystemd-network/meson.build            |   4 ++
 .../7d924e16295cd14e12a01a5631ea94a3d11d1b52  | Bin 0 -> 243 bytes
 .../fe4344e65d495388540dc1bf8eae70c46f8b867c  | Bin 0 -> 241 bytes
 4 files changed, 50 insertions(+)
 create mode 100644 src/libsystemd-network/fuzz-dhcp-server-relay-message.c
 create mode 100644 test/fuzz/fuzz-dhcp-server-relay-message/7d924e16295cd14e12a01a5631ea94a3d11d1b52
 create mode 100644 test/fuzz/fuzz-dhcp-server-relay-message/fe4344e65d495388540dc1bf8eae70c46f8b867c

diff --git a/src/libsystemd-network/fuzz-dhcp-server-relay-message.c b/src/libsystemd-network/fuzz-dhcp-server-relay-message.c
new file mode 100644
index 00000000000..a53e1c25372
--- /dev/null
+++ b/src/libsystemd-network/fuzz-dhcp-server-relay-message.c
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "fuzz.h"
+
+#include "sd-dhcp-server.c"
+
+ssize_t sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen) {
+        return len;
+}
+
+ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags) {
+        return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        _cleanup_(sd_dhcp_server_unrefp) sd_dhcp_server *server = NULL;
+        struct in_addr address = {.s_addr = htobe32(UINT32_C(10) << 24 | UINT32_C(1))};
+        union in_addr_union relay_address;
+        _cleanup_free_ uint8_t *message = NULL;
+
+        if (size < sizeof(DHCPMessage))
+                return 0;
+
+        assert_se(sd_dhcp_server_new(&server, 1) >= 0);
+        assert_se(sd_dhcp_server_attach_event(server, NULL, 0) >= 0);
+        assert_se(sd_dhcp_server_configure_pool(server, &address, 24, 0, 0) >= 0);
+        assert_se(in_addr_from_string(AF_INET, "192.168.5.1", &relay_address) >= 0);
+        assert_se(sd_dhcp_server_set_relay_target(server, &relay_address.in) >= 0);
+        assert_se(sd_dhcp_server_set_bind_to_interface(server, false) >= 0);
+        assert_se(sd_dhcp_server_set_relay_agent_information(server, "string:sample_circuit_id", "string:sample_remote_id") >= 0);
+
+        size_t buflen = size;
+        buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2;
+        assert_se(message = malloc(buflen));
+        memcpy(message, data, size);
+
+        server->fd = open("/dev/null", O_RDWR|O_CLOEXEC|O_NOCTTY);
+        assert_se(server->fd >= 0);
+
+        (void) dhcp_server_relay_message(server, (DHCPMessage *) message, size - sizeof(DHCPMessage), buflen);
+        return 0;
+}
diff --git a/src/libsystemd-network/meson.build b/src/libsystemd-network/meson.build
index 6be409d8adb..3f5e11e7f55 100644
--- a/src/libsystemd-network/meson.build
+++ b/src/libsystemd-network/meson.build
@@ -113,6 +113,10 @@ fuzzers += [
          [libsystemd_network,
           libshared]],
 
+        [files('fuzz-dhcp-server-relay-message.c'),
+         [libsystemd_network,
+          libshared]],
+
         [files('fuzz-lldp-rx.c'),
          [libshared,
           libsystemd_network]],
diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/7d924e16295cd14e12a01a5631ea94a3d11d1b52 b/test/fuzz/fuzz-dhcp-server-relay-message/7d924e16295cd14e12a01a5631ea94a3d11d1b52
new file mode 100644
index 0000000000000000000000000000000000000000..117fbe0b2f98ec1cac23507afaa008cf43b6d2a1
GIT binary patch
literal 243
zc-mw7&&I&Ou$O^>i2(wx|NsA=fq{_=h#7(0ObD1hG4nf60>}cAe=-%20TTo(f(WO^
ziwgTMz7mg_T-3SpUqS-NL<N@r|A9&vKx!S4^fCMgi8Fv93rqk89Ff?lieS)`5n%#U
K;d>NGToM3w^i>D|

literal 0
Hc-jL100001

diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/fe4344e65d495388540dc1bf8eae70c46f8b867c b/test/fuzz/fuzz-dhcp-server-relay-message/fe4344e65d495388540dc1bf8eae70c46f8b867c
new file mode 100644
index 0000000000000000000000000000000000000000..0d2b0c89136f8c216ce293e21d0435da7c4476b6
GIT binary patch
literal 241
vc-muRWMjYt|NsC0&cMKo0vLz`b5H;Sy?_ITNCFZ&xhdGzl#wx+k@Y_S$w?4n

literal 0
Hc-jL100001

-- 
2.47.3