The branch, master has been updated via 0fcc2e93192 fuzz: add nmblib/parse_packet target via f4bafcca863 fuzz: ldb binary decode/enode via da4786003fe fuzz: add ldb ldif fuzzer via 13bd82db64b fuzz: ldb_dn parsing via 79460b1b9f3 lib ldb common: Fix memory leak from 6b8a6838849 tests: Test samba-tool user setprimarygroup command
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 0fcc2e93192b8737b0a711ed2ca118e4e833f3fe Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jan 10 15:44:27 2020 +1300 fuzz: add nmblib/parse_packet target We want to ensure that parse_packet() can parse a packet without crashing, and that that parsed packet won't cause trouble further down the line. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> Autobuild-User(master): Gary Lockyer <g...@samba.org> Autobuild-Date(master): Wed Jan 15 21:24:31 UTC 2020 on sn-devel-184 commit f4bafcca863f1f11b07dfec960495a84184f2317 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jan 10 17:33:03 2020 +1300 fuzz: ldb binary decode/enode Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit da4786003fef39737734e1a5cbf752442f7793b1 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jan 10 12:35:54 2020 +1300 fuzz: add ldb ldif fuzzer Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit 13bd82db64be827c3472255531ee79501f07f129 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Jan 10 12:35:30 2020 +1300 fuzz: ldb_dn parsing Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> commit 79460b1b9f3452d6d68014b84f4a9dc3988bd916 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Jan 14 14:42:26 2020 +1300 lib ldb common: Fix memory leak TALLOC_FREE the ldb_control allocated in ldb_parse_control_from_string when none of the cases match. Credit to OSS-Fuzz Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: David Disseldorp <dd...@samba.org> ----------------------------------------------------------------------- Summary of changes: ...z_ldb_parse_control.c => fuzz_ldb_dn_explode.c} | 12 ++--- ...zz_ldb_parse_control.c => fuzz_ldb_ldif_read.c} | 17 +++---- ...se_control.c => fuzz_ldb_parse_binary_decode.c} | 27 ++++++----- lib/fuzzing/fuzz_nmblib_parse_packet.c | 56 ++++++++++++++++++++++ lib/fuzzing/wscript_build | 20 ++++++++ lib/ldb/common/ldb_controls.c | 1 + 6 files changed, 106 insertions(+), 27 deletions(-) copy lib/fuzzing/{fuzz_ldb_parse_control.c => fuzz_ldb_dn_explode.c} (81%) copy lib/fuzzing/{fuzz_ldb_parse_control.c => fuzz_ldb_ldif_read.c} (78%) copy lib/fuzzing/{fuzz_ldb_parse_control.c => fuzz_ldb_parse_binary_decode.c} (72%) create mode 100644 lib/fuzzing/fuzz_nmblib_parse_packet.c Changeset truncated at 500 lines: diff --git a/lib/fuzzing/fuzz_ldb_parse_control.c b/lib/fuzzing/fuzz_ldb_dn_explode.c similarity index 81% copy from lib/fuzzing/fuzz_ldb_parse_control.c copy to lib/fuzzing/fuzz_ldb_dn_explode.c index bd3fda87fdb..dade67567cb 100644 --- a/lib/fuzzing/fuzz_ldb_parse_control.c +++ b/lib/fuzzing/fuzz_ldb_dn_explode.c @@ -17,7 +17,7 @@ */ #include "includes.h" #include "fuzzing/fuzzing.h" -#include "ldb_private.h" +#include "ldb.h" #define MAX_LENGTH (2 * 1024 * 1024 - 1) @@ -25,10 +25,10 @@ char buf[MAX_LENGTH + 1] = {0}; int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) { - struct ldb_control *control = NULL; + struct ldb_dn *dn = NULL; struct ldb_context *ldb = ldb_init(NULL, NULL); /* - * We copy the buffer in order to NUL-teminate, because running off + * We copy the buffer in order to NUL-terminate, because running off * the end of the string would be an uninteresting crash. */ if (len > MAX_LENGTH) { @@ -37,10 +37,8 @@ int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) memcpy(buf, input, len); buf[len] = 0; - control = ldb_parse_control_from_string(ldb, ldb, buf); - if (control != NULL) { - ldb_control_to_string(ldb, control); - } + dn = ldb_dn_new(ldb, ldb, buf); + ldb_dn_validate(dn); TALLOC_FREE(ldb); return 0; } diff --git a/lib/fuzzing/fuzz_ldb_parse_control.c b/lib/fuzzing/fuzz_ldb_ldif_read.c similarity index 78% copy from lib/fuzzing/fuzz_ldb_parse_control.c copy to lib/fuzzing/fuzz_ldb_ldif_read.c index bd3fda87fdb..f2c46bc9beb 100644 --- a/lib/fuzzing/fuzz_ldb_parse_control.c +++ b/lib/fuzzing/fuzz_ldb_ldif_read.c @@ -25,21 +25,22 @@ char buf[MAX_LENGTH + 1] = {0}; int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) { - struct ldb_control *control = NULL; + struct ldb_ldif *ldif = NULL; struct ldb_context *ldb = ldb_init(NULL, NULL); - /* - * We copy the buffer in order to NUL-teminate, because running off - * the end of the string would be an uninteresting crash. - */ + const char *s = NULL; + if (len > MAX_LENGTH) { len = MAX_LENGTH; } memcpy(buf, input, len); buf[len] = 0; + s = buf; - control = ldb_parse_control_from_string(ldb, ldb, buf); - if (control != NULL) { - ldb_control_to_string(ldb, control); + ldif = ldb_ldif_read_string(ldb, &s); + + if(ldif != NULL) { + ldb_ldif_write_string(ldb, ldb, ldif); + ldb_ldif_write_redacted_trace_string(ldb, ldb, ldif); } TALLOC_FREE(ldb); return 0; diff --git a/lib/fuzzing/fuzz_ldb_parse_control.c b/lib/fuzzing/fuzz_ldb_parse_binary_decode.c similarity index 72% copy from lib/fuzzing/fuzz_ldb_parse_control.c copy to lib/fuzzing/fuzz_ldb_parse_binary_decode.c index bd3fda87fdb..6b79a34a027 100644 --- a/lib/fuzzing/fuzz_ldb_parse_control.c +++ b/lib/fuzzing/fuzz_ldb_parse_binary_decode.c @@ -23,24 +23,27 @@ #define MAX_LENGTH (2 * 1024 * 1024 - 1) char buf[MAX_LENGTH + 1] = {0}; -int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) +static char * possibly_truncate(uint8_t *input, size_t len) { - struct ldb_control *control = NULL; - struct ldb_context *ldb = ldb_init(NULL, NULL); - /* - * We copy the buffer in order to NUL-teminate, because running off - * the end of the string would be an uninteresting crash. - */ if (len > MAX_LENGTH) { len = MAX_LENGTH; } memcpy(buf, input, len); buf[len] = 0; + return buf; +} - control = ldb_parse_control_from_string(ldb, ldb, buf); - if (control != NULL) { - ldb_control_to_string(ldb, control); - } - TALLOC_FREE(ldb); + +int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) +{ + TALLOC_CTX *mem_ctx = talloc_init(__FUNCTION__); + struct ldb_val val = {0}; + const char *s = possibly_truncate(input, len); + + /* we treat the same string to encoding and decoding, not + * round-tripping. */ + val = ldb_binary_decode(mem_ctx, s); + ldb_binary_encode_string(mem_ctx, s); + TALLOC_FREE(mem_ctx); return 0; } diff --git a/lib/fuzzing/fuzz_nmblib_parse_packet.c b/lib/fuzzing/fuzz_nmblib_parse_packet.c new file mode 100644 index 00000000000..7b35abe9f97 --- /dev/null +++ b/lib/fuzzing/fuzz_nmblib_parse_packet.c @@ -0,0 +1,56 @@ +/* + Fuzz NMB parse_packet + Copyright (C) Catalyst IT 2020 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "../../source3/include/includes.h" +#include "libsmb/libsmb.h" +#include "libsmb/nmblib.h" +#include "fuzzing/fuzzing.h" + +#define PORT 138 +#define MAX_LENGTH (1024 * 1024) +char buf[MAX_LENGTH + 1]; + + +int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) +{ + struct packet_struct *p = NULL; + struct in_addr ip = { + 0x0100007f /* 127.0.0.1 */ + }; + + p = parse_packet((char *)input, + len, + NMB_PACKET, + ip, + PORT); + /* + * We expect NULL (parse failure) most of the time. + * + * When it is not NULL we want to ensure the parsed packet is + * reasonably sound. + */ + + if (p != NULL) { + struct nmb_packet *nmb = &p->packet.nmb; + pull_ascii_nstring(buf, MAX_LENGTH, + nmb->question.question_name.name); + build_packet(buf, MAX_LENGTH, p); + free_packet(p); + } + return 0; +} diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build index 4d41a959bff..f8b3886d3da 100644 --- a/lib/fuzzing/wscript_build +++ b/lib/fuzzing/wscript_build @@ -27,6 +27,11 @@ bld.SAMBA_BINARY('fuzz_reg_parse', deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main', fuzzer=True) +bld.SAMBA_BINARY('fuzz_nmblib_parse_packet', + source='fuzz_nmblib_parse_packet.c', + deps='fuzzing libsmb afl-fuzz-main', + fuzzer=True) + bld.SAMBA_BINARY('fuzz_regfio', source='fuzz_regfio.c', deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main', @@ -47,6 +52,21 @@ bld.SAMBA_BINARY('fuzz_ldb_parse_control', deps='fuzzing ldb afl-fuzz-main', fuzzer=True) +bld.SAMBA_BINARY('fuzz_ldb_dn_explode', + source='fuzz_ldb_dn_explode.c', + deps='fuzzing ldb afl-fuzz-main', + fuzzer=True) + +bld.SAMBA_BINARY('fuzz_ldb_ldif_read', + source='fuzz_ldb_ldif_read.c', + deps='fuzzing ldb afl-fuzz-main', + fuzzer=True) + +bld.SAMBA_BINARY('fuzz_ldb_parse_binary_decode', + source='fuzz_ldb_parse_binary_decode.c', + deps='fuzzing ldb afl-fuzz-main', + fuzzer=True) + bld.SAMBA_BINARY('fuzz_ldb_parse_tree', source='fuzz_ldb_parse_tree.c', deps='fuzzing ldb afl-fuzz-main', diff --git a/lib/ldb/common/ldb_controls.c b/lib/ldb/common/ldb_controls.c index 8a727f74e6e..4af06a436ab 100644 --- a/lib/ldb/common/ldb_controls.c +++ b/lib/ldb/common/ldb_controls.c @@ -1282,6 +1282,7 @@ struct ldb_control *ldb_parse_control_from_string(struct ldb_context *ldb, TALLO /* * When no matching control has been found. */ + TALLOC_FREE(ctrl); return NULL; } -- Samba Shared Repository