4577. [func] Make qtype of resolver fuzzing packet configurable via command...

diff --git a/CHANGES b/CHANGES
index 13987f4f78a691d563d3ae35125e12ab80b2388d..998abefbd121654b9146233304f298217d712f26 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4577.  [func]          Make qtype of resolver fuzzing packet configurable
+                       via command line. [RT #43540]
+
 4576.  [func]          The RPZ implementation has been substantially
                        refactored for improved performance and reliability.
                        [RT #43449]

diff --git a/bin/named/fuzz.c b/bin/named/fuzz.c
index 03539ffe4a8c589349a15dceb65ebaaf08d7fbf7..015bee7073cd09a26bd63757b208e1814bb3983f 100644 (file)
--- a/bin/named/fuzz.c
+++ b/bin/named/fuzz.c
@@ -136,7 +136,7 @@ fuzz_main_client(void *arg) {
 
 static void *
 fuzz_main_resolver(void *arg) {
-       char *shost, *sport, *rhost, *rport;
+       char *sqtype, *shost, *sport, *rhost, *rport;
        /* Query for A? aaaaaaaaaa.example. */
        char respacket[] =
                 "\0\0\1 \0\1\0\0\0\0\0\0\naaaaaaaaaa\7example\0\0\1\0\1";
@@ -144,17 +144,21 @@ fuzz_main_resolver(void *arg) {
        int sockfd;
        int listenfd;
        int loop;
+       isc_uint16_t qtype;
        char *buf, *rbuf;
 
        UNUSED(arg);
 
        /*
-        * Parse named -A argument in the "laddress:sport:raddress:rport"
+        * Parse named -A argument in the "qtype:laddress:sport:raddress:rport"
         * syntax.  Due to the syntax used, this only supports IPv4 addresses.
         */
-
-       shost = strdup(ns_g_fuzz_named_addr);
+       sqtype = strdup(ns_g_fuzz_named_addr);
+       RUNTIME_CHECK(sqtype != NULL);
+       shost = strchr(sqtype, ':');
        RUNTIME_CHECK(shost != NULL);
+       *shost = 0;
+       shost++;
        sport = strchr(shost, ':');
        RUNTIME_CHECK(sport != NULL);
        *sport = 0;
@@ -168,6 +172,10 @@ fuzz_main_resolver(void *arg) {
        *rport = 0;
        rport++;
 
+       qtype = atoi(sqtype);
+       respacket[32] = (qtype >> 8) & 0xff;
+       respacket[33] = qtype & 0xff;
+
        memset(&servaddr, 0, sizeof (servaddr));
        servaddr.sin_family = AF_INET;
        RUNTIME_CHECK(inet_pton(AF_INET, shost, &servaddr.sin_addr) == 1);
@@ -178,7 +186,7 @@ fuzz_main_resolver(void *arg) {
        RUNTIME_CHECK(inet_pton(AF_INET, rhost, &recaddr.sin_addr) == 1);
        recaddr.sin_port = htons(atoi(rport));
 
-       free(shost);
+       free(sqtype);
 
        /* Wait for named to start */
        while (!ns_g_run_done) {
@@ -252,6 +260,14 @@ fuzz_main_resolver(void *arg) {
                buf[1] = rbuf[1];
                buf[2] |= 0x80;
 
+               /*
+                * A hack - set QTYPE to the one from query so that we can easily
+                * share packets between instances. If we write over something else
+                * we'll get FORMERR anyway.
+                */
+               buf[32] = (qtype >> 8) & 0xff;
+               buf[33] = qtype & 0xff;
+
                sent = sendto(listenfd, buf, length, 0,
                              (struct sockaddr *) &recvaddr, sizeof(recvaddr));
                RUNTIME_CHECK(sent == length);

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index f935a67ebee1e60462cee0cc02ca9c092bdfbd7f..9261c597e1c7a6dd2c042a7ad5b2a4f5c61b9edf 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8677,7 +8677,11 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
                                 no_response, ISC_FALSE);
 
 #ifdef ENABLE_AFL
-       if (fuzzing_resolver && (keep_trying || resend)) {
+       if (fuzzing_resolver && (keep_trying || resend || nextitem)) {
+               if (nextitem) {
+                       fctx_cancelquery(&query, &devent, finish,
+                                        no_response, ISC_FALSE);
+               }
                fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
                return;
        } else