Fuzzing: Fix memory leak in test case

The test case changes introduced a memory leak in the test itself (not in c-ares). Fix this memory leak. Also move prior fuzzing information into the new fuzzing document. Fix By: Brad House (@bradh352)
3 months ago · fb3160f375
parent 50511d6920
commit fb3160f375
3 changed files with 52 additions and 80 deletions
--- a/test/FUZZING.md
+++ b/test/FUZZING.md
@ -1,5 +1,7 @@
 # Fuzzing Hints

+## LibFuzzer
+
 1. Set compiler that supports fuzzing, this is an example on MacOS using
   a homebrew-installed clang/llvm:
 ```
@ -10,8 +12,8 @@ export CXX="/opt/homebrew/Cellar/llvm/18.1.8/bin/clang++"
 2. Compile c-ares with both ASAN and fuzzing support.  We want an optimized
   debug build so we will use `RelWithDebInfo`:
 ```
-export CFLAGS="-fsanitize=address,fuzzer-no-link"
-export CXXFLAGS="-fsanitize=address,fuzzer-no-link"
+export CFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
+export CXXFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
 export LDFLAGS="-fsanitize=address,fuzzer-no-link"
 mkdir buildfuzz
 cd buildfuzz
@ -21,7 +23,7 @@ ninja

 3. Build the fuzz test itself linked against our fuzzing-enabled build:
 ```
-${CC} -W -Wall -fsanitize=address,fuzzer -I../include -I../src/lib/include -I. -o ares-test-fuzz ../test/ares-test-fuzz.c -L./lib -Wl,-rpath ./lib -lcares
+${CC} -W -Wall -Og -fsanitize=address,fuzzer -I../include -I../src/lib/include -I. -o ares-test-fuzz ../test/ares-test-fuzz.c -L./lib -Wl,-rpath ./lib -lcares
 ```

 4. Run the fuzzer, its better if you can provide seed input but it does pretty
@ -32,3 +34,49 @@ ${CC} -W -Wall -fsanitize=address,fuzzer -I../include -I../src/lib/include -I. -
 mkdir corpus
 ./ares-test-fuzz -max_len=65535 corpus
 ```
+
+## AFL
+
+To fuzz using AFL, follow the
+[AFL quick start guide](http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt):
+
+ - Download and build AFL.
+ - Configure the c-ares library and test tool to use AFL's compiler wrappers:
+
+   ```console
+   % export CC=$AFLDIR/afl-gcc
+   % ./configure --disable-shared && make
+   % cd test && ./configure && make aresfuzz aresfuzzname
+   ```
+
+ - Run the AFL fuzzer against the starting corpus:
+
+   ```console
+   % mkdir fuzzoutput
+   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz  # OR
+   % $AFLDIR/afl-fuzz -i fuzznames -o fuzzoutput -- ./aresfuzzname
+   ```
+
+## AFL Persistent Mode
+
+If a recent version of Clang is available, AFL can use its built-in compiler
+instrumentation; this configuration also allows the use of a (much) faster
+persistent mode, where multiple fuzz inputs are run for each process invocation.
+
+ - Download and build a recent AFL, and run `make` in the `llvm_mode`
+   subdirectory to ensure that `afl-clang-fast` gets built.
+ - Configure the c-ares library and test tool to use AFL's clang wrappers that
+   use compiler instrumentation:
+
+   ```console
+   % export CC=$AFLDIR/afl-clang-fast
+   % ./configure --disable-shared && make
+   % cd test && ./configure && make aresfuzz
+   ```
+
+ - Run the AFL fuzzer (in persistent mode) against the starting corpus:
+
+   ```console
+   % mkdir fuzzoutput
+   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz
+   ```
--- a/test/README.md
+++ b/test/README.md
@ -73,80 +73,3 @@ To generate code coverage information:
 - Generate code coverage output with `make code-coverage-capture` in the
   library directory (i.e. not in `test/`).

-
-Fuzzing
-------
-
-### libFuzzer
-
-To fuzz the packet parsing code with libFuzzer, follow the main
-[libFuzzer instructions](http://llvm.org/docs/LibFuzzer.html):
-
- - Configure the c-ares library and test suite with a recent Clang and a sanitizer, for example:
-
-   ```console
-   % export CFLAGS="-fsanitize=fuzzer-no-link,address"
-   % export CC=clang
-   % ./configure --disable-shared && make
-   ```
- - Link each of the fuzzer entrypoints in with `ares-fuzz.cc`:
-
-   ```
-   % clang -I.. -c ares-test-fuzz.c
-   % clang -I.. -c ares-test-fuzz-name.c
-   % clang++ -fsanitize=fuzzer,address ares-test-fuzz.o ../.libs/libcares.a -o ares-libfuzzer
-   % clang++ -fsanitize=fuzzer,address ares-test-fuzz-name.o ../.libs/libcares.a -o ares-libfuzzer-name
-   ```
- - Run the fuzzer using the starting corpus with:
-
-   ```console
-   % ./ares-libfuzzer fuzzinput/  # OR
-   % ./ares-libfuzzer-name fuzznames/
-   ```
-
-### AFL
-
-To fuzz using AFL, follow the
-[AFL quick start guide](http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt):
-
- - Download and build AFL.
- - Configure the c-ares library and test tool to use AFL's compiler wrappers:
-
-   ```console
-   % export CC=$AFLDIR/afl-gcc
-   % ./configure --disable-shared && make
-   % cd test && ./configure && make aresfuzz aresfuzzname
-   ```
-
- - Run the AFL fuzzer against the starting corpus:
-
-   ```console
-   % mkdir fuzzoutput
-   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz  # OR
-   % $AFLDIR/afl-fuzz -i fuzznames -o fuzzoutput -- ./aresfuzzname
-   ```
-
-### AFL Persistent Mode
-
-If a recent version of Clang is available, AFL can use its built-in compiler
-instrumentation; this configuration also allows the use of a (much) faster
-persistent mode, where multiple fuzz inputs are run for each process invocation.
-
- - Download and build a recent AFL, and run `make` in the `llvm_mode`
-   subdirectory to ensure that `afl-clang-fast` gets built.
- - Configure the c-ares library and test tool to use AFL's clang wrappers that
-   use compiler instrumentation:
-
-   ```console
-   % export CC=$AFLDIR/afl-clang-fast
-   % ./configure --disable-shared && make
-   % cd test && ./configure && make aresfuzz
-   ```
-
- - Run the AFL fuzzer (in persistent mode) against the starting corpus:
-
-   ```console
-   % mkdir fuzzoutput
-   % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz
-   ```
-
--- a/test/ares-test-fuzz.c
+++ b/test/ares-test-fuzz.c
@ -290,6 +290,7 @@ done:
  ares_dns_record_destroy(dnsrec);
  ares__buf_destroy(printmsg);
  ares_free(printdata);
+  ares_free(datadup);
  return 0;
 }