From dccf1723cc14d7481c33446e11b577fcd80ec975 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 16 May 2020 13:40:29 +0100 Subject: [PATCH 1/2] Problem: invalid address results in out-of-range string access Solution: check for zone string length before using it in ip_resolver It turns out std::string::at does not check for string length before dereferencing --- src/ip_resolver.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ip_resolver.cpp b/src/ip_resolver.cpp index 59b7df44..4728ba77 100644 --- a/src/ip_resolver.cpp +++ b/src/ip_resolver.cpp @@ -252,6 +252,10 @@ int zmq::ip_resolver_t::resolve (ip_addr_t *ip_addr_, const char *name_) if (pos != std::string::npos) { std::string if_str = addr.substr (pos + 1); + if (if_str.empty ()) { + errno = EINVAL; + return -1; + } addr = addr.substr (0, pos); if (isalpha (if_str.at (0))) { From 2d23b599f2939beff3ad5254fd4e426ad35048d9 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 16 May 2020 13:42:11 +0100 Subject: [PATCH 2/2] Problem: test_bind_fuzzer does not use corpus for regression tests Solution: do it --- Makefile.am | 6 ++++++ tests/fuzzer_corpora/test_bind_fuzzer.txt | 1 + tests/test_bind_fuzzer.cpp | 17 ++++++++++++++--- 3 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 tests/fuzzer_corpora/test_bind_fuzzer.txt diff --git a/Makefile.am b/Makefile.am index 4d1a7819..51550a4d 100755 --- a/Makefile.am +++ b/Makefile.am @@ -1221,6 +1221,12 @@ install-data-hook: mv $(DESTDIR)/$(FUZZINGdir)/test_connect_null_fuzzer.seed $(DESTDIR)/$(FUZZINGdir)/$$fn; \ zip -j -m -g --quiet $(DESTDIR)/$(FUZZINGdir)/test_connect_null_fuzzer_seed_corpus.zip $(DESTDIR)/$(FUZZINGdir)/$$fn; \ done < $(DESTDIR)/$(FUZZINGdir)/test_connect_null_fuzzer.txt) + $(shell while read -r test; do \ + echo -n $$test | perl -e 'print pack "H*", ' > $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.seed; \ + export fn=$$(cat $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.seed | sha1sum | awk '{print $$1}'); \ + mv $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.seed $(DESTDIR)/$(FUZZINGdir)/$$fn; \ + zip -j -m -g --quiet $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.zip $(DESTDIR)/$(FUZZINGdir)/$$fn; \ + done < $(DESTDIR)/$(FUZZINGdir)/test_bind_fuzzer.txt) rm -f $(DESTDIR)/$(FUZZINGdir)/*.txt else test_apps += tests/test_bind_null_fuzzer \ diff --git a/tests/fuzzer_corpora/test_bind_fuzzer.txt b/tests/fuzzer_corpora/test_bind_fuzzer.txt new file mode 100644 index 00000000..6e950c98 --- /dev/null +++ b/tests/fuzzer_corpora/test_bind_fuzzer.txt @@ -0,0 +1 @@ +77733a2f2f253a39 diff --git a/tests/test_bind_fuzzer.cpp b/tests/test_bind_fuzzer.cpp index 3c8e6e87..3a29a30c 100644 --- a/tests/test_bind_fuzzer.cpp +++ b/tests/test_bind_fuzzer.cpp @@ -53,10 +53,21 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size) #ifndef ZMQ_USE_FUZZING_ENGINE void test_bind_fuzzer () { - uint8_t buffer[32] = {0}; + uint8_t **data; + size_t *len, num_cases = 0; + if (fuzzer_corpus_encode ("tests/fuzzer_corpora/test_bind_fuzzer.txt", + &data, &len, &num_cases) + != 0) + exit (77); - TEST_ASSERT_SUCCESS_ERRNO ( - LLVMFuzzerTestOneInput (buffer, sizeof (buffer))); + while (num_cases-- > 0) { + TEST_ASSERT_SUCCESS_ERRNO ( + LLVMFuzzerTestOneInput (data[num_cases], len[num_cases])); + free (data[num_cases]); + } + + free (data); + free (len); } int main (int argc, char **argv)