fuzz: add nmblib/parse_packet target

We want to ensure that parse_packet() can parse a packet without
crashing, and that that parsed packet won't cause trouble further down
the line.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed Jan 15 21:24:31 UTC 2020 on sn-devel-184

diff --git a/lib/fuzzing/fuzz_nmblib_parse_packet.c b/lib/fuzzing/fuzz_nmblib_parse_packet.c
new file mode 100644 (file)
index 0000000..7b35abe
--- /dev/null
+++ b/lib/fuzzing/fuzz_nmblib_parse_packet.c
@@ -0,0 +1,56 @@
+/*
+  Fuzz NMB parse_packet
+  Copyright (C) Catalyst IT 2020
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 3 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "../../source3/include/includes.h"
+#include "libsmb/libsmb.h"
+#include "libsmb/nmblib.h"
+#include "fuzzing/fuzzing.h"
+
+#define PORT 138
+#define MAX_LENGTH (1024 * 1024)
+char buf[MAX_LENGTH + 1];
+
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+       struct packet_struct *p = NULL;
+       struct in_addr ip = {
+               0x0100007f /* 127.0.0.1 */
+       };
+
+       p = parse_packet((char *)input,
+                        len,
+                        NMB_PACKET,
+                        ip,
+                        PORT);
+       /*
+        * We expect NULL (parse failure) most of the time.
+        *
+        * When it is not NULL we want to ensure the parsed packet is
+        * reasonably sound.
+        */
+
+       if (p != NULL) {
+               struct nmb_packet *nmb = &p->packet.nmb;
+               pull_ascii_nstring(buf, MAX_LENGTH,
+                                  nmb->question.question_name.name);
+               build_packet(buf, MAX_LENGTH, p);
+               free_packet(p);
+       }
+       return 0;
+}

diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index 68a1f5ca2346cfbd37fc0efde604981f9c2376a2..f8b3886d3dae7bffb70943f61707ed3689c2ca01 100644 (file)
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -27,6 +27,11 @@ bld.SAMBA_BINARY('fuzz_reg_parse',
                  deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',
                  fuzzer=True)
 
+bld.SAMBA_BINARY('fuzz_nmblib_parse_packet',
+                 source='fuzz_nmblib_parse_packet.c',
+                 deps='fuzzing libsmb afl-fuzz-main',
+                 fuzzer=True)
+
 bld.SAMBA_BINARY('fuzz_regfio',
                  source='fuzz_regfio.c',
                  deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',