generic-library/libzmq
1
0
Fork 0
mirror of https://github.com/zeromq/libzmq.git synced 2025-01-19 08:46:44 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3921 from bluca/fuzzers

Browse Source 
Problem: invalid address results in out-of-range string access
This commit is contained in:
Doron Somech 2020-05-16 17:23:16 +03:00 committed by GitHub
commit 8df0d99cd8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile.am
View File

@ -1221,6 +1221,12 @@ install-data-hook:
mv $(DESTDIR)/$(FUZZINGdir)/test_connect_null_fuzzer.seed $(DESTDIR)/$(FUZZINGdir)/$$fn; \
zip -j -m -g --quiet $(DESTDIR)/$(FUZZINGdir)/test_connect_null_fuzzer_seed_corpus.zip $(DESTDIR)/$(FUZZINGdir)/$$fn; \
done < $(DESTDIR)/$(FUZZINGdir)/test_connect_null_fuzzer.txt)
$(shell while read -r test; do \
echo -n $$test | perl -e 'print pack "H*", <STDIN>' > $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.seed; \
export fn=$$(cat $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.seed | sha1sum | awk '{print $$1}'); \
mv $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.seed $(DESTDIR)/$(FUZZINGdir)/$$fn; \
zip -j -m -g --quiet $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.zip $(DESTDIR)/$(FUZZINGdir)/$$fn; \
done < $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.txt)
rm -f $(DESTDIR)/$(FUZZINGdir)/*.txt
else
test_apps += tests/test_bind_null_fuzzer \

4
src/ip_resolver.cpp
View File

@ -252,6 +252,10 @@ int zmq::ip_resolver_t::resolve (ip_addr_t *ip_addr_, const char *name_)
if (pos != std::string::npos) {
std::string if_str = addr.substr (pos + 1);
if (if_str.empty ()) {
errno = EINVAL;
return -1;
}
addr = addr.substr (0, pos);
if (isalpha (if_str.at (0))) {

1
tests/fuzzer_corpora/test_bind_fuzzer.txt Normal file
View File

@ -0,0 +1 @@
77733a2f2f253a39

17
tests/test_bind_fuzzer.cpp
View File

@ -53,10 +53,21 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
#ifndef ZMQ_USE_FUZZING_ENGINE
void test_bind_fuzzer ()
{
uint8_t buffer[32] = {0};
uint8_t **data;
size_t *len, num_cases = 0;
if (fuzzer_corpus_encode ("tests/fuzzer_corpora/test_bind_fuzzer.txt",
&data, &len, &num_cases)
!= 0)
exit (77);
TEST_ASSERT_SUCCESS_ERRNO (
LLVMFuzzerTestOneInput (buffer, sizeof (buffer)));
while (num_cases-- > 0) {
TEST_ASSERT_SUCCESS_ERRNO (
LLVMFuzzerTestOneInput (data[num_cases], len[num_cases]));
free (data[num_cases]);
}
free (data);
free (len);
}
int main (int argc, char **argv)