[mdns] Add fuzzer for PacketReader.
TEST:
$ fx set x64 --fuzz-with asan --packages garnet/packages/tests/all
$ fx full-build
$ fx fuzz start mdns
$ fx fuzz check mdns
Change-Id: I2954617cf97520f28e350b251ec3e633a7ff0b40
diff --git a/bin/mdns/service/BUILD.gn b/bin/mdns/service/BUILD.gn
index dcd1207..dbb6f8f 100644
--- a/bin/mdns/service/BUILD.gn
+++ b/bin/mdns/service/BUILD.gn
@@ -5,6 +5,7 @@
import("//build/package.gni")
import("//build/test.gni")
import("//build/test/test_package.gni")
+import("//build/fuzzing/fuzzer.gni")
executable("bin") {
output_name = "mdns"
@@ -137,6 +138,28 @@
tests = [
{
name = "mdns_tests"
- },
+ }
]
}
+
+fuzz_target("packet_reader_fuzzer") {
+ testonly = true
+ sources = [
+ "packet_reader_fuzzer.cc",
+ "dns_reading.cc",
+ "dns_reading.h",
+ "dns_message.cc",
+ "dns_message.h",
+ "packet_reader.h",
+ "packet_reader.cc",
+ ]
+ deps = [
+ "//garnet/public/lib/fxl",
+ "//garnet/lib/inet",
+ ]
+}
+
+fuzz_package("mdns_fuzzers") {
+ targets = [ ":packet_reader_fuzzer" ]
+ sanitizers = [ "asan", "ubsan" ]
+}
diff --git a/bin/mdns/service/dns_reading.cc b/bin/mdns/service/dns_reading.cc
index e61e9bb..02e020b 100644
--- a/bin/mdns/service/dns_reading.cc
+++ b/bin/mdns/service/dns_reading.cc
@@ -174,8 +174,10 @@
reader >> length;
if (length > reader.bytes_remaining()) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
FXL_DLOG(ERROR) << "Bad string length, offset "
<< reader.bytes_consumed();
+#endif
reader.MarkUnhealthy();
return reader;
}
@@ -248,8 +250,10 @@
if (data_size > reader.bytes_remaining()) {
reader.MarkUnhealthy();
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
FXL_DLOG(ERROR) << "data_size is " << data_size << ", remaining is "
<< reader.bytes_remaining();
+#endif
}
if (!reader.healthy()) {
@@ -314,8 +318,10 @@
}
} break;
default:
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
FXL_DLOG(WARNING) << "Skipping data for unsupported resource type "
<< static_cast<uint16_t>(value.type_);
+#endif
reader.Bytes(data_size);
break;
}
@@ -330,7 +336,9 @@
value.header_.answer_count_ > kMaxAnswers ||
value.header_.authority_count_ > kMaxAuthorities ||
value.header_.additional_count_ > kMaxAdditionals) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
FXL_DLOG(ERROR) << "Max record count exceeded; rejecting message.";
+#endif
reader.MarkUnhealthy();
return reader;
}
diff --git a/bin/mdns/service/packet_reader_fuzzer.cc b/bin/mdns/service/packet_reader_fuzzer.cc
new file mode 100644
index 0000000..280d769
--- /dev/null
+++ b/bin/mdns/service/packet_reader_fuzzer.cc
@@ -0,0 +1,17 @@
+// Copyright 2018 The Fuchsia Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <vector>
+
+#include "dns_reading.h"
+#include "packet_reader.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ mdns::PacketReader reader(std::vector<uint8_t>(Data, Data + Size));
+ reader.SetBytesRemaining(Size);
+ auto message = std::make_unique<mdns::DnsMessage>();
+ reader >> *message.get();
+
+ return 0;
+}
\ No newline at end of file
diff --git a/packages/tests/mdns b/packages/tests/mdns
index 5b866fe..d498792 100644
--- a/packages/tests/mdns
+++ b/packages/tests/mdns
@@ -1,5 +1,9 @@
{
+ "imports": [
+ "garnet/packages/prod/run"
+ ],
"packages": [
- "//garnet/bin/mdns/service:mdns_tests"
+ "//garnet/bin/mdns/service:mdns_tests",
+ "//garnet/bin/mdns/service:mdns_fuzzers"
]
}