1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12 #include <assert.h>
13 #include <stddef.h>
14 #include <stdint.h>
15 #include <string.h>
16
17 #include <isc/buffer.h>
18 #include <isc/lex.h>
19 #include <isc/mem.h>
20 #include <isc/result.h>
21 #include <isc/util.h>
22
23 #include <dns/callbacks.h>
24 #include <dns/compress.h>
25 #include <dns/master.h>
26 #include <dns/rdata.h>
27 #include <dns/rdatatype.h>
28
29 #include "fuzz.h"
30
31 bool debug = false;
32
33 /*
34 * Fuzz input to dns_rdata_fromwire(). Then convert the result
35 * to text, back to wire format, to multiline text, and back to wire
36 * format again, checking for consistency throughout the sequence.
37 */
38
39 static isc_mem_t *mctx = NULL;
40 static isc_lex_t *lex = NULL;
41
42 int
LLVMFuzzerInitialize(int * argc,char *** argv)43 LLVMFuzzerInitialize(int *argc __attribute__((unused)),
44 char ***argv __attribute__((unused))) {
45 isc_lexspecials_t specials;
46
47 isc_mem_create(&mctx);
48 RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS);
49 CHECK(isc_lex_create(mctx, 64, &lex));
50
51 memset(specials, 0, sizeof(specials));
52 specials[0] = 1;
53 specials['('] = 1;
54 specials[')'] = 1;
55 specials['"'] = 1;
56 isc_lex_setspecials(lex, specials);
57 isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
58
59 return (0);
60 }
61
62 static void
nullmsg(dns_rdatacallbacks_t * cb,const char * fmt,...)63 nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) {
64 va_list args;
65
66 UNUSED(cb);
67
68 if (debug) {
69 va_start(args, fmt);
70 vfprintf(stderr, fmt, args);
71 fprintf(stderr, "\n");
72 va_end(args);
73 }
74 }
75
76 int
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)77 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
78 char totext[64 * 1044 * 4];
79 dns_compress_t cctx;
80 dns_decompress_t dctx;
81 dns_rdatatype_t rdtype;
82 dns_rdataclass_t rdclass;
83 dns_rdatatype_t typelist[256] = { 1000 }; /* unknown */
84 dns_rdataclass_t classlist[] = { dns_rdataclass_in, dns_rdataclass_hs,
85 dns_rdataclass_ch, dns_rdataclass_any,
86 60 };
87 dns_rdata_t rdata1 = DNS_RDATA_INIT, rdata2 = DNS_RDATA_INIT,
88 rdata3 = DNS_RDATA_INIT;
89 dns_rdatacallbacks_t callbacks;
90 isc_buffer_t source, target;
91 isc_result_t result;
92 unsigned char fromtext[1024];
93 unsigned char fromwire[1024];
94 unsigned char towire[1024];
95 unsigned int classes = (sizeof(classlist) / sizeof(classlist[0]));
96 unsigned int types = 1, flags, t;
97
98 /*
99 * First 2 bytes are used to select type and class.
100 * dns_rdata_fromwire() only accepts input up to 2^16-1 octets.
101 */
102 if (size < 2 || size > 0xffff + 2) {
103 return (0);
104 }
105
106 /*
107 * Append known types to list.
108 */
109 for (t = 1; t <= 0x10000; t++) {
110 char typebuf[256];
111 if (dns_rdatatype_ismeta(t)) {
112 continue;
113 }
114 dns_rdatatype_format(t, typebuf, sizeof(typebuf));
115 if (strncmp(typebuf, "TYPE", 4) != 0) {
116 /* Assert when we need to grow typelist. */
117 assert(types < sizeof(typelist) / sizeof(typelist[0]));
118 typelist[types++] = t;
119 }
120 }
121
122 /*
123 * Random type and class from a limited set.
124 */
125 rdtype = typelist[(*data++) % types];
126 size--;
127 rdclass = classlist[(*data++) % classes];
128 size--;
129
130 if (debug) {
131 fprintf(stderr, "type=%u, class=%u\n", rdtype, rdclass);
132 }
133
134 dns_rdatacallbacks_init(&callbacks);
135 callbacks.warn = callbacks.error = nullmsg;
136
137 /* Disallow decompression as we are reading a packet */
138 dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
139
140 isc_buffer_constinit(&source, data, size);
141 isc_buffer_add(&source, size);
142 isc_buffer_setactive(&source, size);
143
144 isc_buffer_init(&target, fromwire, sizeof(fromwire));
145
146 /*
147 * Reject invalid rdata.
148 */
149 CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, 0,
150 &target));
151 assert(rdata1.length == size);
152
153 /*
154 * Convert to text from wire.
155 */
156 isc_buffer_init(&target, totext, sizeof(totext) - 1);
157 result = dns_rdata_totext(&rdata1, NULL, &target);
158 assert(result == ISC_R_SUCCESS);
159
160 /*
161 * Make debugging easier by NUL terminating.
162 */
163 totext[isc_buffer_usedlength(&target)] = 0;
164
165 /*
166 * Convert to wire from text.
167 */
168 isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target));
169 isc_buffer_add(&source, isc_buffer_usedlength(&target));
170 CHECK(isc_lex_openbuffer(lex, &source));
171
172 isc_buffer_init(&target, fromtext, sizeof(fromtext));
173 result = dns_rdata_fromtext(&rdata2, rdclass, rdtype, lex, dns_rootname,
174 0, mctx, &target, &callbacks);
175 if (debug && result != ISC_R_SUCCESS) {
176 fprintf(stderr, "'%s'\n", totext);
177 }
178 assert(result == ISC_R_SUCCESS);
179 assert(rdata2.length == size);
180 assert(!memcmp(rdata2.data, data, size));
181
182 /*
183 * Convert to multi-line text from wire.
184 */
185 isc_buffer_init(&target, totext, sizeof(totext));
186 flags = dns_master_styleflags(&dns_master_style_default);
187 result = dns_rdata_tofmttext(&rdata1, dns_rootname, flags, 80 - 32, 4,
188 "\n", &target);
189 assert(result == ISC_R_SUCCESS);
190
191 /*
192 * Convert to wire from text.
193 */
194 isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target));
195 isc_buffer_add(&source, isc_buffer_usedlength(&target));
196 CHECK(isc_lex_openbuffer(lex, &source));
197
198 isc_buffer_init(&target, fromtext, sizeof(fromtext));
199 result = dns_rdata_fromtext(&rdata3, rdclass, rdtype, lex, dns_rootname,
200 0, mctx, &target, &callbacks);
201 assert(result == ISC_R_SUCCESS);
202 assert(rdata3.length == size);
203 assert(!memcmp(rdata3.data, data, size));
204
205 /*
206 * Convert rdata back to wire.
207 */
208 CHECK(dns_compress_init(&cctx, -1, mctx));
209 dns_compress_disable(&cctx);
210 isc_buffer_init(&target, towire, sizeof(towire));
211 result = dns_rdata_towire(&rdata1, &cctx, &target);
212 dns_compress_invalidate(&cctx);
213 assert(result == ISC_R_SUCCESS);
214 assert(target.used == size);
215 assert(!memcmp(target.base, data, size));
216
217 return (0);
218 }
219