projects/dnsmasq/fuzz_patch.patch - platform/external/oss-fuzz - Git at Google

 diff --git a/src/blockdata.c b/src/blockdata.c
 index 0986285..852c961 100644
 --- a/src/blockdata.c
 +++ b/src/blockdata.c
 @@ -15,16 +15,22 @@
  */

  #include "dnsmasq.h"
 +#include <assert.h>

  static struct blockdata *keyblock_free;
  static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;

 +void *total_allocated[200] = {0};
 +static int fuzz_total_alloc_ptr = 0;
 +
  static void blockdata_expand(int n)
  {
    struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));

    if (new)
      {
 +      assert(fuzz_total_alloc_ptr < 200);
 +      total_allocated[fuzz_total_alloc_ptr++] = (void*)new;
        int i;

        new[n-1].next = keyblock_free;
 @@ -45,11 +51,23 @@ void blockdata_init(void)
    blockdata_count = 0;
    blockdata_hwm = 0;

 +  fuzz_total_alloc_ptr = 0;
 +  for (int m = 0; m < 200; m++)
 +	  total_allocated[m] = NULL;
 +
    /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */
    if (option_bool(OPT_DNSSEC_VALID))
      blockdata_expand(daemon->cachesize);
  }

 +void fuzz_blockdata_cleanup() {
 +	for (int i = 0; i < 200; i++) {
 +		if (total_allocated[i] != NULL) {
 +			free(total_allocated[i]);
 +		}
 +	}
 +}
 +
  void blockdata_report(void)
  {
    my_syslog(LOG_INFO, _("pool memory in use %zu, max %zu, allocated %zu"),
 diff --git a/src/dhcp.c b/src/dhcp.c
 index e500bc2..7215590 100644
 --- a/src/dhcp.c
 +++ b/src/dhcp.c
 @@ -183,18 +183,26 @@ void dhcp_packet(time_t now, int pxe_fd)
      recvtime = tv.tv_sec;

    if (msg.msg_controllen >= sizeof(struct cmsghdr))
 -    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 -      if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
 -	{
 -	  union {
 -	    unsigned char *c;
 -	    struct in_pktinfo *p;
 -	  } p;
 -	  p.c = CMSG_DATA(cmptr);
 -	  iface_index = p.p->ipi_ifindex;
 -	  if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
 -	    unicast_dest = 1;
 -	}
 +  {
 +    int tmp_val = 0;
 +      for (cmptr = CMSG_FIRSTHDR(&msg);
 +          cmptr && tmp_val < 1;
 +          tmp_val++) {
 +          //cmptr = CMSG_NXTHDR(&msg, cmptr)) {
 +      tmp_val++;
 +          if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
 +      {
 +        union {
 +          unsigned char *c;
 +          struct in_pktinfo *p;
 +        } p;
 +        p.c = CMSG_DATA(cmptr);
 +        iface_index = p.p->ipi_ifindex;
 +        if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
 +          unicast_dest = 1;
 +      }
 +    }
 +  }

  #elif defined(HAVE_BSD_NETWORK)
    if (msg.msg_controllen >= sizeof(struct cmsghdr))
 diff --git a/src/dhcp6.c b/src/dhcp6.c
 index ae1f5c1..ce7397d 100644
 --- a/src/dhcp6.c
 +++ b/src/dhcp6.c
 @@ -116,10 +116,14 @@ void dhcp6_packet(time_t now)
    msg.msg_iov =  &daemon->dhcp_packet;
    msg.msg_iovlen = 1;

 -  if ((sz = recv_dhcp_packet(daemon->dhcp6fd, &msg)) == -1)
 +  if ((sz = recv_dhcp_packet(daemon->dhcp6fd, &msg)) == -1){
      return;
 -
 -  for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 +  }
 +
 +  int tmp_val = 0;
 +//  for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) {
 +  for (cmptr = CMSG_FIRSTHDR(&msg); cmptr && tmp_val < 1; tmp_val++) {
 +    tmp_val++;
      if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
        {
  	union {
 @@ -131,9 +135,11 @@ void dhcp6_packet(time_t now)
  	if_index = p.p->ipi6_ifindex;
  	dst_addr = p.p->ipi6_addr;
        }
 +  }

 -  if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
 +  if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name)) {
      return;
 +  }

    if ((port = relay_reply6(&from, sz, ifr.ifr_name)) != 0)
      {
 diff --git a/src/netlink.c b/src/netlink.c
 index 7840ef9..2419897 100644
 --- a/src/netlink.c
 +++ b/src/netlink.c
 @@ -197,8 +197,13 @@ int iface_enumerate(int family, void *parm, int (*callback)())
    if (errno != 0)
      return 0;

 +  int valval = 0;
    while (1)
      {
 +      valval++;
 +      if (valval > 300) {
 +        return -1;
 +      }
        if ((len = netlink_recv(0)) == -1)
  	{
  	  if (errno == ENOBUFS)
 diff --git a/src/network.c b/src/network.c
 index 296c7bd..c03961a 100644
 --- a/src/network.c
 +++ b/src/network.c
 @@ -697,6 +697,7 @@ int enumerate_interfaces(int reset)
    struct auth_zone *zone;
  #endif
    struct server *serv;
 +  int iteration = 0;

    /* Do this max once per select cycle  - also inhibits netlink socket use
     in TCP child processes. */
 @@ -734,6 +735,10 @@ int enumerate_interfaces(int reset)
        }

  again:
 +  if (iteration > 100) {
 +    return 0;
 +  }
 +  iteration += 1;
    /* Mark interfaces for garbage collection */
    for (iface = daemon->interfaces; iface; iface = iface->next)
      iface->found = 0;
	diff --git a/src/blockdata.c b/src/blockdata.c
	index 0986285..852c961 100644
	--- a/src/blockdata.c
	+++ b/src/blockdata.c
	@@ -15,16 +15,22 @@
	*/

	#include "dnsmasq.h"
	+#include <assert.h>

	static struct blockdata *keyblock_free;
	static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;

	+void *total_allocated[200] = {0};
	+static int fuzz_total_alloc_ptr = 0;
	+
	static void blockdata_expand(int n)
	{
	struct blockdata new = whine_malloc(n sizeof(struct blockdata));

	if (new)
	{
	+ assert(fuzz_total_alloc_ptr < 200);
	+ total_allocated[fuzz_total_alloc_ptr++] = (void*)new;
	int i;

	new[n-1].next = keyblock_free;
	@@ -45,11 +51,23 @@ void blockdata_init(void)
	blockdata_count = 0;
	blockdata_hwm = 0;

	+ fuzz_total_alloc_ptr = 0;
	+ for (int m = 0; m < 200; m++)
	+ total_allocated[m] = NULL;
	+
	/* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */
	if (option_bool(OPT_DNSSEC_VALID))
	blockdata_expand(daemon->cachesize);
	}

	+void fuzz_blockdata_cleanup() {
	+ for (int i = 0; i < 200; i++) {
	+ if (total_allocated[i] != NULL) {
	+ free(total_allocated[i]);
	+ }
	+ }
	+}
	+
	void blockdata_report(void)
	{
	my_syslog(LOG_INFO, _("pool memory in use %zu, max %zu, allocated %zu"),
	diff --git a/src/dhcp.c b/src/dhcp.c
	index e500bc2..7215590 100644
	--- a/src/dhcp.c
	+++ b/src/dhcp.c
	@@ -183,18 +183,26 @@ void dhcp_packet(time_t now, int pxe_fd)
	recvtime = tv.tv_sec;

	if (msg.msg_controllen >= sizeof(struct cmsghdr))
	- for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
	- if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
	- {
	- union {
	- unsigned char *c;
	- struct in_pktinfo *p;
	- } p;
	- p.c = CMSG_DATA(cmptr);
	- iface_index = p.p->ipi_ifindex;
	- if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
	- unicast_dest = 1;
	- }
	+ {
	+ int tmp_val = 0;
	+ for (cmptr = CMSG_FIRSTHDR(&msg);
	+ cmptr && tmp_val < 1;
	+ tmp_val++) {
	+ //cmptr = CMSG_NXTHDR(&msg, cmptr)) {
	+ tmp_val++;
	+ if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
	+ {
	+ union {
	+ unsigned char *c;
	+ struct in_pktinfo *p;
	+ } p;
	+ p.c = CMSG_DATA(cmptr);
	+ iface_index = p.p->ipi_ifindex;
	+ if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
	+ unicast_dest = 1;
	+ }
	+ }
	+ }

	#elif defined(HAVE_BSD_NETWORK)
	if (msg.msg_controllen >= sizeof(struct cmsghdr))
	diff --git a/src/dhcp6.c b/src/dhcp6.c
	index ae1f5c1..ce7397d 100644
	--- a/src/dhcp6.c
	+++ b/src/dhcp6.c
	@@ -116,10 +116,14 @@ void dhcp6_packet(time_t now)
	msg.msg_iov = &daemon->dhcp_packet;
	msg.msg_iovlen = 1;

	- if ((sz = recv_dhcp_packet(daemon->dhcp6fd, &msg)) == -1)
	+ if ((sz = recv_dhcp_packet(daemon->dhcp6fd, &msg)) == -1){
	return;
	-
	- for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
	+ }
	+
	+ int tmp_val = 0;
	+// for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) {
	+ for (cmptr = CMSG_FIRSTHDR(&msg); cmptr && tmp_val < 1; tmp_val++) {
	+ tmp_val++;
	if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
	{
	union {
	@@ -131,9 +135,11 @@ void dhcp6_packet(time_t now)
	if_index = p.p->ipi6_ifindex;
	dst_addr = p.p->ipi6_addr;
	}
	+ }

	- if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
	+ if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name)) {
	return;
	+ }

	if ((port = relay_reply6(&from, sz, ifr.ifr_name)) != 0)
	{
	diff --git a/src/netlink.c b/src/netlink.c
	index 7840ef9..2419897 100644
	--- a/src/netlink.c
	+++ b/src/netlink.c
	@@ -197,8 +197,13 @@ int iface_enumerate(int family, void parm, int (callback)())
	if (errno != 0)
	return 0;

	+ int valval = 0;
	while (1)
	{
	+ valval++;
	+ if (valval > 300) {
	+ return -1;
	+ }
	if ((len = netlink_recv(0)) == -1)
	{
	if (errno == ENOBUFS)
	diff --git a/src/network.c b/src/network.c
	index 296c7bd..c03961a 100644
	--- a/src/network.c
	+++ b/src/network.c
	@@ -697,6 +697,7 @@ int enumerate_interfaces(int reset)
	struct auth_zone *zone;
	#endif
	struct server *serv;
	+ int iteration = 0;

	/* Do this max once per select cycle - also inhibits netlink socket use
	in TCP child processes. */
	@@ -734,6 +735,10 @@ int enumerate_interfaces(int reset)
	}

	again:
	+ if (iteration > 100) {
	+ return 0;
	+ }
	+ iteration += 1;
	/* Mark interfaces for garbage collection */
	for (iface = daemon->interfaces; iface; iface = iface->next)
	iface->found = 0;