Fuzzing: Fix memory leak in test case

The test case changes introduced a memory leak in the test itself (not in c-ares). Fix this memory leak. Also move prior fuzzing information into the new fuzzing document. Fix By: Brad House (@bradh352)
3 months ago · fb3160f375
parent 50511d6920
commit fb3160f375
3 changed files with 52 additions and 80 deletions
--- a/test/FUZZING.md
+++ b/test/FUZZING.md
@ -1,5 +1,7 @@
 # Fuzzing Hints
 ## LibFuzzer
 1. Set compiler that supports fuzzing, this is an example on MacOS using
   a homebrew-installed clang/llvm:
 ```
@ -10,8 +12,8 @@ export CXX="/opt/homebrew/Cellar/llvm/18.1.8/bin/clang++"
 2. Compile c-ares with both ASAN and fuzzing support.  We want an optimized
   debug build so we will use `RelWithDebInfo`:
 ```
-export CFLAGS="-fsanitize=address,fuzzer-no-link"
+export CFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
-export CXXFLAGS="-fsanitize=address,fuzzer-no-link"
+export CXXFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
 export LDFLAGS="-fsanitize=address,fuzzer-no-link"
 mkdir buildfuzz
 cd buildfuzz
@ -21,7 +23,7 @@ ninja
 3. Build the fuzz test itself linked against our fuzzing-enabled build:
 ```
-${CC} -W -Wall -fsanitize=address,fuzzer -I../include -I../src/lib/include -I. -o ares-test-fuzz ../test/ares-test-fuzz.c -L./lib -Wl,-rpath ./lib -lcares
+${CC} -W -Wall -Og -fsanitize=address,fuzzer -I../include -I../src/lib/include -I. -o ares-test-fuzz ../test/ares-test-fuzz.c -L./lib -Wl,-rpath ./lib -lcares
 ```
 4. Run the fuzzer, its better if you can provide seed input but it does pretty
@ -32,3 +34,49 @@ ${CC} -W -Wall -fsanitize=address,fuzzer -I../include -I../src/lib/include -I. -
 mkdir corpus
 ./ares-test-fuzz -max_len=65535 corpus
 ```
 ## AFL
 To fuzz using AFL, follow the
 [AFL quick start guide](http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt):
 - Download and build AFL.
 - Configure the c-ares library and test tool to use AFL's compiler wrappers:
   ```console
   % export CC=$AFLDIR/afl-gcc
   % ./configure --disable-shared && make
   % cd test && ./configure && make aresfuzz aresfuzzname
   ```
 - Run the AFL fuzzer against the starting corpus:
   ```console
   % mkdir fuzzoutput
   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz  # OR
   % $AFLDIR/afl-fuzz -i fuzznames -o fuzzoutput -- ./aresfuzzname
   ```
 ## AFL Persistent Mode
 If a recent version of Clang is available, AFL can use its built-in compiler
 instrumentation; this configuration also allows the use of a (much) faster
 persistent mode, where multiple fuzz inputs are run for each process invocation.
 - Download and build a recent AFL, and run `make` in the `llvm_mode`
   subdirectory to ensure that `afl-clang-fast` gets built.
 - Configure the c-ares library and test tool to use AFL's clang wrappers that
   use compiler instrumentation:
   ```console
   % export CC=$AFLDIR/afl-clang-fast
   % ./configure --disable-shared && make
   % cd test && ./configure && make aresfuzz
   ```
 - Run the AFL fuzzer (in persistent mode) against the starting corpus:
   ```console
   % mkdir fuzzoutput
   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz
   ```
--- a/test/README.md
+++ b/test/README.md
@ -73,80 +73,3 @@ To generate code coverage information:
 - Generate code coverage output with `make code-coverage-capture` in the
   library directory (i.e. not in `test/`).
 Fuzzing
 -------
 ### libFuzzer
 To fuzz the packet parsing code with libFuzzer, follow the main
 [libFuzzer instructions](http://llvm.org/docs/LibFuzzer.html):
 - Configure the c-ares library and test suite with a recent Clang and a sanitizer, for example:
   ```console
   % export CFLAGS="-fsanitize=fuzzer-no-link,address"
   % export CC=clang
   % ./configure --disable-shared && make
   ```
 - Link each of the fuzzer entrypoints in with `ares-fuzz.cc`:
   ```
   % clang -I.. -c ares-test-fuzz.c
   % clang -I.. -c ares-test-fuzz-name.c
   % clang++ -fsanitize=fuzzer,address ares-test-fuzz.o ../.libs/libcares.a -o ares-libfuzzer
   % clang++ -fsanitize=fuzzer,address ares-test-fuzz-name.o ../.libs/libcares.a -o ares-libfuzzer-name
   ```
 - Run the fuzzer using the starting corpus with:
   ```console
   % ./ares-libfuzzer fuzzinput/  # OR
   % ./ares-libfuzzer-name fuzznames/
   ```
 ### AFL
 To fuzz using AFL, follow the
 [AFL quick start guide](http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt):
 - Download and build AFL.
 - Configure the c-ares library and test tool to use AFL's compiler wrappers:
   ```console
   % export CC=$AFLDIR/afl-gcc
   % ./configure --disable-shared && make
   % cd test && ./configure && make aresfuzz aresfuzzname
   ```
 - Run the AFL fuzzer against the starting corpus:
   ```console
   % mkdir fuzzoutput
   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz  # OR
   % $AFLDIR/afl-fuzz -i fuzznames -o fuzzoutput -- ./aresfuzzname
   ```
 ### AFL Persistent Mode
 If a recent version of Clang is available, AFL can use its built-in compiler
 instrumentation; this configuration also allows the use of a (much) faster
 persistent mode, where multiple fuzz inputs are run for each process invocation.
 - Download and build a recent AFL, and run `make` in the `llvm_mode`
   subdirectory to ensure that `afl-clang-fast` gets built.
 - Configure the c-ares library and test tool to use AFL's clang wrappers that
   use compiler instrumentation:
   ```console
   % export CC=$AFLDIR/afl-clang-fast
   % ./configure --disable-shared && make
   % cd test && ./configure && make aresfuzz
   ```
 - Run the AFL fuzzer (in persistent mode) against the starting corpus:
   ```console
   % mkdir fuzzoutput
   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz
   ```
--- a/test/ares-test-fuzz.c
+++ b/test/ares-test-fuzz.c
@ -290,6 +290,7 @@ done:
  ares_dns_record_destroy(dnsrec);
  ares__buf_destroy(printmsg);
  ares_free(printdata);
  ares_free(datadup);
  return 0;
 }