Imported Upstream version 9.14.4upstream/9.14.4

Change-Id: I04261b1d3d81ead0a7732834f02fc4219d86f5aa

10 files changed, 488 insertions, 0 deletions

diff --git a/fuzz/FUZZING.md b/fuzz/FUZZING.md
new file mode 100644
index 00000000..cccf41ff
--- /dev/null
+++ b/fuzz/FUZZING.md
@@ -0,0 +1,24 @@
+= Fuzzing
+
+The tests in this directory can be operated in three modes:
+
+* non-fuzzing - the test just runs over all input located in `<test_name>.in/`
+  directory by compiling with mock main.c that walks through the directory and
+  runs `LLVMFuzzerTestOneInput()` over the input files
+* AFL - `./configure --with-fuzzing=afl` will either feed the stdin to
+  `LLVMFuzzerTestOneInput()` or run the `__AFL_LOOP(10000)` if compiled with
+  `afl-clang-fast`
+* LibFuzzer - `./configure --with-fuzzing=libfuzzer` will disable `main.c`
+  completely and it uses the standard LibFuzzer mechanims to feed
+  `LLVMFuzzerTestOneInput` with the fuzzer
+
+== Test Cases
+
+Each test case should be called descriptively and the executable target must
+link `testcase.o` and `main.o` and the `test_case.c` must have a function
+`LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)`.
+
+== Adding more fuzzers
+
+To add a different fuzzer, `main.c` must be modified to include `main()` function
+for a specific fuzzer (or no function as is case with LibFuzzer).
diff --git a/fuzz/Makefile.in b/fuzz/Makefile.in
new file mode 100644
index 00000000..538f6fae
--- /dev/null
+++ b/fuzz/Makefile.in
@@ -0,0 +1,44 @@
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+abs_srcdir =	@abs_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I.. ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		@OPENSSL_INCLUDES@
+CDEFINES =	-DFUZZDIR=\"$(abs_srcdir)\"
+
+ISCLIBS =	../lib/isc/libisc.@A@ @OPENSSL_LIBS@
+ISCDEPLIBS =	../lib/isc/libisc.@A@
+DNSLIBS =	../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSDEPLIBS =	../lib/dns/libdns.@A@
+
+LIBS =		@LIBS@
+
+OBJS =		main.@O@
+SRCS =		main.c dns_name_fromtext_target.c dns_rdata_fromwire_text.c
+
+SUBDIRS =
+TARGETS =	dns_name_fromtext_target@EXEEXT@ \
+		dns_rdata_fromwire_text@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+dns_name_fromtext_target@EXEEXT@: dns_name_fromtext_target.@O@ main.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+		dns_name_fromtext_target.@O@ main.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dns_rdata_fromwire_text@EXEEXT@: dns_rdata_fromwire_text.@O@ main.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+		dns_rdata_fromwire_text.@O@ main.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+check: ${TARGETS}
+	for fuzzer in ${TARGETS}; do \
+		./$${fuzzer} ; \
+	done
+
+oss-fuzz: ${TARGETS}
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/fuzz/dns_name_fromtext_target.c b/fuzz/dns_name_fromtext_target.c
new file mode 100644
index 00000000..9fe52bfa
--- /dev/null
+++ b/fuzz/dns_name_fromtext_target.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <isc/buffer.h>
+#include <isc/util.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    isc_buffer_t buf;
+    isc_result_t result;
+    dns_fixedname_t origin;
+    char *de_const;
+
+    if (size < 5) {
+	    return 0;
+    }
+
+    dns_fixedname_init(&origin);
+    DE_CONST(data, de_const);
+    isc_buffer_init(&buf, (void *)de_const, size);
+    isc_buffer_add(&buf, size);
+    result = dns_name_fromtext(dns_fixedname_name(&origin), &buf, dns_rootname, 0, NULL);
+    UNUSED(result);
+    return 0;
+}
diff --git a/fuzz/dns_name_fromtext_target.in/example.com b/fuzz/dns_name_fromtext_target.in/example.com
new file mode 100644
index 00000000..de54ac66
--- /dev/null
+++ b/fuzz/dns_name_fromtext_target.in/example.com
@@ -0,0 +1 @@
+example.com
diff --git a/fuzz/dns_rdata_fromwire_text.c b/fuzz/dns_rdata_fromwire_text.c
new file mode 100644
index 00000000..628c71ed
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/compress.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdatatype.h>
+
+#define CHECK(x) ({ if ((result = (x)) != ISC_R_SUCCESS) goto done; })
+
+/*
+ * Fuzz input to dns_rdata_fromwire(). Then convert the result
+ * to text, back to wire format, to multiline text, and back to wire
+ * format again, checking for consistency throughout the sequence.
+ */
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static void
+nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
+	va_list ap;
+
+	UNUSED(cb);
+	UNUSED(fmt);
+	UNUSED(ap);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+	char totext[1024];
+	dns_compress_t cctx;
+	dns_decompress_t dctx;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t typelist[256] = { 1000 };	/* unknown */
+	dns_rdataclass_t classlist[] = { dns_rdataclass_in,
+					 dns_rdataclass_hs,
+					 dns_rdataclass_ch,
+					 dns_rdataclass_any,
+					 60 };
+	dns_rdata_t rdata1 = DNS_RDATA_INIT,
+		    rdata2 = DNS_RDATA_INIT,
+		    rdata3 = DNS_RDATA_INIT;
+	dns_rdatacallbacks_t callbacks;
+	isc_buffer_t source, target;
+	isc_lex_t *lex = NULL;
+	isc_lexspecials_t specials;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	unsigned char fromtext[1024];
+	unsigned char fromwire[1024];
+	unsigned char towire[1024];
+	unsigned int classes = (sizeof(classlist)/sizeof(classlist[0]));
+	unsigned int types = 1, flags, t;
+
+	if (size < 2) {
+		goto done;
+	}
+
+	/*
+	 * Append known types to list.
+	 */
+	for (t = 1; t <= 0x10000; t++) {
+		char typebuf[256];
+		if (dns_rdatatype_ismeta(t)) {
+			continue;
+		}
+		dns_rdatatype_format(t, typebuf, sizeof(typebuf));
+		if (strncmp(typebuf, "TYPE", 4) != 0) {
+			/* Assert when we need to grow typelist. */
+			assert(types < sizeof(typelist)/sizeof(typelist[0]));
+			typelist[types++] = t;
+		}
+	}
+
+	/*
+	 * Random type and class from a limited set.
+	 */
+	rdtype = typelist[(*data++) % types]; size--;
+	rdclass = classlist[(*data++) % classes]; size--;
+
+	CHECK(isc_mem_create(0, 0, &mctx));
+
+	CHECK(isc_lex_create(mctx, 64, &lex));
+	memset(specials, 0, sizeof(specials));
+	specials[0] = 1;
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	dns_rdatacallbacks_init(&callbacks);
+	callbacks.warn = callbacks.error = nullmsg;
+
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+
+	isc_buffer_constinit(&source, data, size);
+	isc_buffer_add(&source, size);
+	isc_buffer_setactive(&source, size);
+
+	isc_buffer_init(&target, fromwire, sizeof(fromwire));
+
+	/*
+	 * Reject invalid rdata.
+	 */
+	CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx,
+				 0, &target));
+
+	/*
+	 * Convert to text from wire.
+	 */
+	isc_buffer_init(&target, totext, sizeof(totext));
+	result = dns_rdata_totext(&rdata1, NULL, &target);
+	assert(result == ISC_R_SUCCESS);
+
+	/*
+	 * Convert to wire from text.
+	 */
+	isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target));
+	isc_buffer_add(&source, isc_buffer_usedlength(&target));
+	CHECK(isc_lex_openbuffer(lex, &source));
+
+	isc_buffer_init(&target, fromtext, sizeof(fromtext));
+	result = dns_rdata_fromtext(&rdata2, rdclass, rdtype, lex,
+				    dns_rootname, 0, mctx, &target,
+				    &callbacks);
+	assert(result == ISC_R_SUCCESS);
+	assert(rdata2.length == size);
+	assert(!memcmp(rdata2.data, data, size));
+
+	/*
+	 * Convert to multi-line text from wire.
+	 */
+	isc_buffer_init(&target, totext, sizeof(totext));
+	flags = dns_master_styleflags(&dns_master_style_default);
+	result = dns_rdata_tofmttext(&rdata1, dns_rootname, flags,
+				     80 - 32, 4, "\n", &target);
+	assert(result == ISC_R_SUCCESS);
+
+	/*
+	 * Convert to wire from text.
+	 */
+	isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target));
+	isc_buffer_add(&source, isc_buffer_usedlength(&target));
+	CHECK(isc_lex_openbuffer(lex, &source));
+
+	isc_buffer_init(&target, fromtext, sizeof(fromtext));
+	result = dns_rdata_fromtext(&rdata3, rdclass, rdtype, lex,
+				    dns_rootname, 0, mctx, &target,
+				    &callbacks);
+	assert(result == ISC_R_SUCCESS);
+	assert(rdata3.length == size);
+	assert(!memcmp(rdata3.data, data, size));
+
+	/*
+	 * Convert rdata back to wire.
+	 */
+	CHECK(dns_compress_init(&cctx, -1, mctx));
+	dns_compress_setsensitive(&cctx, true);
+	isc_buffer_init(&target, towire, sizeof(towire));
+	result = dns_rdata_towire(&rdata1, &cctx, &target);
+	dns_compress_invalidate(&cctx);
+	assert(result == ISC_R_SUCCESS);
+	assert(target.used == size);
+	assert(!memcmp(target.base, data, size));
+
+ done:
+	if (lex != NULL) {
+		isc_lex_destroy(&lex);
+	}
+	if (lex != NULL) {
+		isc_mem_detach(&mctx);
+	}
+	return (0);
+}
diff --git a/fuzz/dns_rdata_fromwire_text.in/cdnskey b/fuzz/dns_rdata_fromwire_text.in/cdnskey
new file mode 100644
index 00000000..9eb47d56
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/cdnskey
diff --git a/fuzz/dns_rdata_fromwire_text.in/smimea b/fuzz/dns_rdata_fromwire_text.in/smimea
new file mode 100644
index 00000000..528472da
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/smimea
@@ -0,0 +1 @@
+…-Ņeœ<
\ No newline at end of file
diff --git a/fuzz/dns_rdata_fromwire_text.in/sshfp b/fuzz/dns_rdata_fromwire_text.in/sshfp
new file mode 100644
index 00000000..b3007cdb
--- /dev/null
+++ b/fuzz/dns_rdata_fromwire_text.in/sshfp
@@ -0,0 +1 @@
+|‡°|8
\ No newline at end of file
diff --git a/fuzz/fuzz.h b/fuzz/fuzz.h
new file mode 100644
index 00000000..500e3ed6
--- /dev/null
+++ b/fuzz/fuzz.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include <isc/lang.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static isc_mem_t *mctx = NULL;
+
+static void __attribute__((constructor)) init(void) {
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS);
+}
+
+static void __attribute__((destructor)) deinit(void)
+{
+	dst_lib_destroy();
+	isc_mem_destroy(&mctx);
+}
+
+ISC_LANG_ENDDECLS
diff --git a/fuzz/main.c b/fuzz/main.c
new file mode 100644
index 00000000..b6aef95c
--- /dev/null
+++ b/fuzz/main.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/stat.h>
+
+#include "fuzz.h"
+
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+
+#include <dirent.h>
+
+static void test_all_from(const char *dirname)
+{
+	DIR *dirp;
+	struct dirent *dp;
+
+	dirp = opendir(dirname);
+	if (dirp == NULL) {
+		return;
+	}
+
+	while ((dp = readdir(dirp)) != NULL) {
+		char filename[strlen(dirname) + strlen(dp->d_name) + 2];
+		int fd;
+		struct stat st;
+		char *data;
+		ssize_t n;
+
+		if (dp->d_name[0] == '.') {
+			continue;
+		}
+		snprintf(filename, sizeof(filename), "%s/%s",
+			 dirname, dp->d_name);
+
+		if ((fd = open(filename, O_RDONLY)) == -1) {
+			fprintf(stderr, "Failed to open %s: %s\n", filename,
+				strerror(errno));
+			continue;
+		}
+
+		if (fstat(fd, &st) != 0) {
+			fprintf(stderr, "Failed to stat %s: %s\n", filename,
+				strerror(errno));
+			goto closefd;
+		}
+
+		data = malloc(st.st_size);
+		n = read(fd, data, st.st_size);
+		if (n == st.st_size) {
+			printf("testing %zd bytes from %s\n",
+			       n, filename);
+			fflush(stdout);
+			LLVMFuzzerTestOneInput((const uint8_t *)data, n);
+			fflush(stderr);
+		} else {
+			if (n < 0) {
+				fprintf(stderr,
+					"Failed to read %zd bytes from %s: %s\n",
+					(ssize_t) st.st_size, filename,
+					strerror(errno));
+			} else {
+				fprintf(stderr,
+					"Failed to read %zd bytes from %s"
+					", got %zd\n",
+					(ssize_t) st.st_size, filename,
+					n);
+			}
+		}
+		free(data);
+	closefd:
+		close(fd);
+	}
+
+	closedir(dirp);
+}
+
+int main(int argc, char **argv)
+{
+	char corpusdir[PATH_MAX];
+	const char *target = strrchr(argv[0], '/');
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+	target = target ? target + 1 : argv[0];
+	if (strncmp(target, "lt-", 3) == 0) {
+		target += 3;
+	}
+
+	snprintf(corpusdir, sizeof(corpusdir), FUZZDIR "/%s.in", target);
+
+	test_all_from(corpusdir);
+
+	return 0;
+}
+
+#elif __AFL_COMPILER
+
+int main(int argc, char **argv)
+{
+	int ret;
+	unsigned char buf[64 * 1024];
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+#ifdef __AFL_LOOP
+	while (__AFL_LOOP(10000)) { // only works with afl-clang-fast
+#else
+	{
+#endif
+		ret = fread(buf, 1, sizeof(buf), stdin);
+		if (ret < 0) {
+			return 0;
+		}
+
+		LLVMFuzzerTestOneInput(buf, ret);
+	}
+
+	return 0;
+}
+
+#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */