The branch, master has been updated
via 0fcc2e93192 fuzz: add nmblib/parse_packet target
via f4bafcca863 fuzz: ldb binary decode/enode
via da4786003fe fuzz: add ldb ldif fuzzer
via 13bd82db64b fuzz: ldb_dn parsing
via 79460b1b9f3 lib ldb common: Fix memory leak
from 6b8a6838849 tests: Test samba-tool user setprimarygroup command
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0fcc2e93192b8737b0a711ed2ca118e4e833f3fe
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jan 10 15:44:27 2020 +1300
fuzz: add nmblib/parse_packet target
We want to ensure that parse_packet() can parse a packet without
crashing, and that that parsed packet won't cause trouble further down
the line.
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Gary Lockyer <g...@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <g...@samba.org>
Autobuild-Date(master): Wed Jan 15 21:24:31 UTC 2020 on sn-devel-184
commit f4bafcca863f1f11b07dfec960495a84184f2317
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jan 10 17:33:03 2020 +1300
fuzz: ldb binary decode/enode
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Gary Lockyer <g...@catalyst.net.nz>
commit da4786003fef39737734e1a5cbf752442f7793b1
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jan 10 12:35:54 2020 +1300
fuzz: add ldb ldif fuzzer
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Gary Lockyer <g...@catalyst.net.nz>
commit 13bd82db64be827c3472255531ee79501f07f129
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jan 10 12:35:30 2020 +1300
fuzz: ldb_dn parsing
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Gary Lockyer <g...@catalyst.net.nz>
commit 79460b1b9f3452d6d68014b84f4a9dc3988bd916
Author: Gary Lockyer <g...@catalyst.net.nz>
Date: Tue Jan 14 14:42:26 2020 +1300
lib ldb common: Fix memory leak
TALLOC_FREE the ldb_control allocated in ldb_parse_control_from_string
when none of the cases match.
Credit to OSS-Fuzz
Signed-off-by: Gary Lockyer <g...@catalyst.net.nz>
Reviewed-by: David Disseldorp <dd...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
...z_ldb_parse_control.c => fuzz_ldb_dn_explode.c} | 12 ++---
...zz_ldb_parse_control.c => fuzz_ldb_ldif_read.c} | 17 +++----
...se_control.c => fuzz_ldb_parse_binary_decode.c} | 27 ++++++-----
lib/fuzzing/fuzz_nmblib_parse_packet.c | 56 ++++++++++++++++++++++
lib/fuzzing/wscript_build | 20 ++++++++
lib/ldb/common/ldb_controls.c | 1 +
6 files changed, 106 insertions(+), 27 deletions(-)
copy lib/fuzzing/{fuzz_ldb_parse_control.c => fuzz_ldb_dn_explode.c} (81%)
copy lib/fuzzing/{fuzz_ldb_parse_control.c => fuzz_ldb_ldif_read.c} (78%)
copy lib/fuzzing/{fuzz_ldb_parse_control.c => fuzz_ldb_parse_binary_decode.c}
(72%)
create mode 100644 lib/fuzzing/fuzz_nmblib_parse_packet.c
Changeset truncated at 500 lines:
diff --git a/lib/fuzzing/fuzz_ldb_parse_control.c
b/lib/fuzzing/fuzz_ldb_dn_explode.c
similarity index 81%
copy from lib/fuzzing/fuzz_ldb_parse_control.c
copy to lib/fuzzing/fuzz_ldb_dn_explode.c
index bd3fda87fdb..dade67567cb 100644
--- a/lib/fuzzing/fuzz_ldb_parse_control.c
+++ b/lib/fuzzing/fuzz_ldb_dn_explode.c
@@ -17,7 +17,7 @@
*/
#include "includes.h"
#include "fuzzing/fuzzing.h"
-#include "ldb_private.h"
+#include "ldb.h"
#define MAX_LENGTH (2 * 1024 * 1024 - 1)
@@ -25,10 +25,10 @@ char buf[MAX_LENGTH + 1] = {0};
int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
{
- struct ldb_control *control = NULL;
+ struct ldb_dn *dn = NULL;
struct ldb_context *ldb = ldb_init(NULL, NULL);
/*
- * We copy the buffer in order to NUL-teminate, because running off
+ * We copy the buffer in order to NUL-terminate, because running off
* the end of the string would be an uninteresting crash.
*/
if (len > MAX_LENGTH) {
@@ -37,10 +37,8 @@ int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
memcpy(buf, input, len);
buf[len] = 0;
- control = ldb_parse_control_from_string(ldb, ldb, buf);
- if (control != NULL) {
- ldb_control_to_string(ldb, control);
- }
+ dn = ldb_dn_new(ldb, ldb, buf);
+ ldb_dn_validate(dn);
TALLOC_FREE(ldb);
return 0;
}
diff --git a/lib/fuzzing/fuzz_ldb_parse_control.c
b/lib/fuzzing/fuzz_ldb_ldif_read.c
similarity index 78%
copy from lib/fuzzing/fuzz_ldb_parse_control.c
copy to lib/fuzzing/fuzz_ldb_ldif_read.c
index bd3fda87fdb..f2c46bc9beb 100644
--- a/lib/fuzzing/fuzz_ldb_parse_control.c
+++ b/lib/fuzzing/fuzz_ldb_ldif_read.c
@@ -25,21 +25,22 @@ char buf[MAX_LENGTH + 1] = {0};
int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
{
- struct ldb_control *control = NULL;
+ struct ldb_ldif *ldif = NULL;
struct ldb_context *ldb = ldb_init(NULL, NULL);
- /*
- * We copy the buffer in order to NUL-teminate, because running off
- * the end of the string would be an uninteresting crash.
- */
+ const char *s = NULL;
+
if (len > MAX_LENGTH) {
len = MAX_LENGTH;
}
memcpy(buf, input, len);
buf[len] = 0;
+ s = buf;
- control = ldb_parse_control_from_string(ldb, ldb, buf);
- if (control != NULL) {
- ldb_control_to_string(ldb, control);
+ ldif = ldb_ldif_read_string(ldb, &s);
+
+ if(ldif != NULL) {
+ ldb_ldif_write_string(ldb, ldb, ldif);
+ ldb_ldif_write_redacted_trace_string(ldb, ldb, ldif);
}
TALLOC_FREE(ldb);
return 0;
diff --git a/lib/fuzzing/fuzz_ldb_parse_control.c
b/lib/fuzzing/fuzz_ldb_parse_binary_decode.c
similarity index 72%
copy from lib/fuzzing/fuzz_ldb_parse_control.c
copy to lib/fuzzing/fuzz_ldb_parse_binary_decode.c
index bd3fda87fdb..6b79a34a027 100644
--- a/lib/fuzzing/fuzz_ldb_parse_control.c
+++ b/lib/fuzzing/fuzz_ldb_parse_binary_decode.c
@@ -23,24 +23,27 @@
#define MAX_LENGTH (2 * 1024 * 1024 - 1)
char buf[MAX_LENGTH + 1] = {0};
-int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+static char * possibly_truncate(uint8_t *input, size_t len)
{
- struct ldb_control *control = NULL;
- struct ldb_context *ldb = ldb_init(NULL, NULL);
- /*
- * We copy the buffer in order to NUL-teminate, because running off
- * the end of the string would be an uninteresting crash.
- */
if (len > MAX_LENGTH) {
len = MAX_LENGTH;
}
memcpy(buf, input, len);
buf[len] = 0;
+ return buf;
+}
- control = ldb_parse_control_from_string(ldb, ldb, buf);
- if (control != NULL) {
- ldb_control_to_string(ldb, control);
- }
- TALLOC_FREE(ldb);
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+ TALLOC_CTX *mem_ctx = talloc_init(__FUNCTION__);
+ struct ldb_val val = {0};
+ const char *s = possibly_truncate(input, len);
+
+ /* we treat the same string to encoding and decoding, not
+ * round-tripping. */
+ val = ldb_binary_decode(mem_ctx, s);
+ ldb_binary_encode_string(mem_ctx, s);
+ TALLOC_FREE(mem_ctx);
return 0;
}
diff --git a/lib/fuzzing/fuzz_nmblib_parse_packet.c
b/lib/fuzzing/fuzz_nmblib_parse_packet.c
new file mode 100644
index 00000000000..7b35abe9f97
--- /dev/null
+++ b/lib/fuzzing/fuzz_nmblib_parse_packet.c
@@ -0,0 +1,56 @@
+/*
+ Fuzz NMB parse_packet
+ Copyright (C) Catalyst IT 2020
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "../../source3/include/includes.h"
+#include "libsmb/libsmb.h"
+#include "libsmb/nmblib.h"
+#include "fuzzing/fuzzing.h"
+
+#define PORT 138
+#define MAX_LENGTH (1024 * 1024)
+char buf[MAX_LENGTH + 1];
+
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+ struct packet_struct *p = NULL;
+ struct in_addr ip = {
+ 0x0100007f /* 127.0.0.1 */
+ };
+
+ p = parse_packet((char *)input,
+ len,
+ NMB_PACKET,
+ ip,
+ PORT);
+ /*
+ * We expect NULL (parse failure) most of the time.
+ *
+ * When it is not NULL we want to ensure the parsed packet is
+ * reasonably sound.
+ */
+
+ if (p != NULL) {
+ struct nmb_packet *nmb = &p->packet.nmb;
+ pull_ascii_nstring(buf, MAX_LENGTH,
+ nmb->question.question_name.name);
+ build_packet(buf, MAX_LENGTH, p);
+ free_packet(p);
+ }
+ return 0;
+}
diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index 4d41a959bff..f8b3886d3da 100644
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -27,6 +27,11 @@ bld.SAMBA_BINARY('fuzz_reg_parse',
deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',
fuzzer=True)
+bld.SAMBA_BINARY('fuzz_nmblib_parse_packet',
+ source='fuzz_nmblib_parse_packet.c',
+ deps='fuzzing libsmb afl-fuzz-main',
+ fuzzer=True)
+
bld.SAMBA_BINARY('fuzz_regfio',
source='fuzz_regfio.c',
deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',
@@ -47,6 +52,21 @@ bld.SAMBA_BINARY('fuzz_ldb_parse_control',
deps='fuzzing ldb afl-fuzz-main',
fuzzer=True)
+bld.SAMBA_BINARY('fuzz_ldb_dn_explode',
+ source='fuzz_ldb_dn_explode.c',
+ deps='fuzzing ldb afl-fuzz-main',
+ fuzzer=True)
+
+bld.SAMBA_BINARY('fuzz_ldb_ldif_read',
+ source='fuzz_ldb_ldif_read.c',
+ deps='fuzzing ldb afl-fuzz-main',
+ fuzzer=True)
+
+bld.SAMBA_BINARY('fuzz_ldb_parse_binary_decode',
+ source='fuzz_ldb_parse_binary_decode.c',
+ deps='fuzzing ldb afl-fuzz-main',
+ fuzzer=True)
+
bld.SAMBA_BINARY('fuzz_ldb_parse_tree',
source='fuzz_ldb_parse_tree.c',
deps='fuzzing ldb afl-fuzz-main',
diff --git a/lib/ldb/common/ldb_controls.c b/lib/ldb/common/ldb_controls.c
index 8a727f74e6e..4af06a436ab 100644
--- a/lib/ldb/common/ldb_controls.c
+++ b/lib/ldb/common/ldb_controls.c
@@ -1282,6 +1282,7 @@ struct ldb_control *ldb_parse_control_from_string(struct
ldb_context *ldb, TALLO
/*
* When no matching control has been found.
*/
+ TALLOC_FREE(ctrl);
return NULL;
}
--
Samba Shared Repository
