test: add fuzz entrypoint for ares_create_query()

8 years ago · 8fdd3d3d19
parent d6823a5cf3
commit 8fdd3d3d19
15 changed files with 53 additions and 7 deletions
--- a/test/.gitignore
+++ b/test/.gitignore
@ -11,4 +11,8 @@ test-suite.log
 fuzzoutput
 config.h.in
 config.h
-dnsdump
+dnsdump
+ares-libfuzzer
+ares-libfuzzer-name
+libFuzzer.a
+Fuzzer
--- a/test/Makefile.am
+++ b/test/Makefile.am
@ -15,7 +15,7 @@ include Makefile.inc

 TESTS = arestest fuzzcheck.sh

-noinst_PROGRAMS = arestest aresfuzz dnsdump
+noinst_PROGRAMS = arestest aresfuzz aresfuzzname dnsdump
 arestest_SOURCES = $(TESTSOURCES) $(TESTHEADERS)
 arestest_LDADD = libgmock.la libgtest.la $(ARES_BLD_DIR)/libcares.la $(PTHREAD_LIBS)

@ -83,6 +83,9 @@ libgtest_la_CPPFLAGS = -isystem $(GTEST_DIR)/include -I$(GTEST_DIR) -isystem $(G
 aresfuzz_SOURCES = $(FUZZSOURCES)
 aresfuzz_LDADD = $(ARES_BLD_DIR)/libcares.la

+aresfuzzname_SOURCES = $(FUZZNAMESOURCES)
+aresfuzzname_LDADD = $(ARES_BLD_DIR)/libcares.la
+
 dnsdump_SOURCES = $(DUMPSOURCES)
 dnsdump_LDADD = $(ARES_BLD_DIR)/libcares.la

--- a/test/Makefile.inc
+++ b/test/Makefile.inc
@ -25,5 +25,8 @@ TESTHEADERS = ares-test.h		\
 FUZZSOURCES = ares-test-fuzz.c		\
  ares-fuzz.c

+FUZZNAMESOURCES = ares-test-fuzz-name.c	\
+  ares-fuzz.c
+
 DUMPSOURCES = dns-proto.cc		\
  dns-dump.cc
--- a/test/README.md
+++ b/test/README.md
@ -98,16 +98,19 @@ To fuzz the packet parsing code with libFuzzer, follow the main
   % clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
   % ar ruv libFuzzer.a Fuzzer*.o
   ```
- - Link the fuzzer entrypoint in with `ares-fuzz.cc`:
+ - Link each of the fuzzer entrypoints in with `ares-fuzz.cc`:

   ```
   % $CC $CFLAGS -I.. -c ares-test-fuzz.c
+   % $CC $CFLAGS -I.. -c ares-test-fuzz-name.c
   % clang++ $CFLAGS ares-test-fuzz.o ../.libs/libcares.a libFuzzer.a -o ares-libfuzzer
+   % clang++ $CFLAGS ares-test-fuzz-name.o ../.libs/libcares.a libFuzzer.a -o ares-libfuzzer-name
   ```
 - Run the fuzzer using the starting corpus with:

   ```console
-   % ./ares-libfuzzer fuzzinput/
+   % ./ares-libfuzzer fuzzinput/  # OR
+   % ./ares-libfuzzer-name fuzznames/
   ```

 ### AFL
@ -121,14 +124,15 @@ To fuzz using AFL, follow the
   ```console
   % export CC=$AFLDIR/afl-gcc
   % ./configure --disable-shared && make
-   % cd test && ./configure && make aresfuzz
+   % cd test && ./configure && make aresfuzz aresfuzzname
   ```

 - Run the AFL fuzzer against the starting corpus:

   ```console
   % mkdir fuzzoutput
-   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz
+   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz  # OR
+   % $AFLDIR/afl-fuzz -i fuzznames -o fuzzoutput -- ./aresfuzzname
   ```

 ### AFL Persistent Mode
--- a/test/ares-test-fuzz-name.c
+++ b/test/ares-test-fuzz-name.c
@ -0,0 +1,23 @@
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "ares.h"
+// Include ares internal file for DNS protocol constants
+#include "nameser.h"
+
+// Entrypoint for Clang's libfuzzer, exercising query creation.
+int LLVMFuzzerTestOneInput(const unsigned char *data,
+                           unsigned long size) {
+  // Null terminate the data.
+  char *name = malloc(size + 1);
+  name[size] = '\0';
+  memcpy(name, data, size);
+
+  unsigned char *buf = NULL;
+  int buflen = 0;
+  ares_create_query(name, ns_c_in, ns_t_aaaa, 1234, 0, &buf, &buflen, 1024);
+  free(buf);
+  free(name);
+  return 0;
+}
--- a/test/ares-test-fuzz.c
+++ b/test/ares-test-fuzz.c
@ -4,7 +4,7 @@

 // Entrypoint for Clang's libfuzzer
 int LLVMFuzzerTestOneInput(const unsigned char *data,
-                                      unsigned long size) {
+                           unsigned long size) {
  // Feed the data into each of the ares_parse_*_reply functions.
  struct hostent *host = NULL;
  struct ares_addrttl info[5];
--- a/test/fuzznames/name01
+++ b/test/fuzznames/name01
@ -0,0 +1 @@
+normal.name
--- a/test/fuzznames/name02
+++ b/test/fuzznames/name02
@ -0,0 +1 @@
+singlelabel
--- a/test/fuzznames/name03
+++ b/test/fuzznames/name03
@ -0,0 +1 @@
+www.labelismuchtoolong012345678901234567890123456789012345678901234567890123456789.com
--- a/test/fuzznames/name04
+++ b/test/fuzznames/name04
@ -0,0 +1 @@
+labelwithescaped\.dot.dot
--- a/test/fuzznames/name05
+++ b/test/fuzznames/name05
@ -0,0 +1 @@
+escaped.dot.at.end\.
--- a/test/fuzznames/name06
+++ b/test/fuzznames/name06
@ -0,0 +1 @@
+absolute.name.
--- a/test/fuzznames/name07
+++ b/test/fuzznames/name07
@ -0,0 +1 @@
+empty..label
--- a/test/fuzznames/name08
+++ b/test/fuzznames/name08
@ -0,0 +1 @@
+utf8.££.data.com
--- a/test/fuzznames/name09
+++ b/test/fuzznames/name09
@ -0,0 +1 @@
+astral.plane.utf8.name.𐀀.org
				`@ -0,0 +1 @@`
				`www.labelismuchtoolong012345678901234567890123456789012345678901234567890123456789.com`