Fix overflow in rx_icmp

This commit is contained in:
cpq 2022-09-29 16:53:11 +01:00
parent a88a11c243
commit 9680b8ccb3
6 changed files with 34 additions and 18 deletions

View File

@ -81,6 +81,10 @@ fuzz: mongoose.c mongoose.h Makefile test/fuzz.c
$(CXX) test/fuzz.c $(OPTS) $(WARN) $(INCS) $(TFLAGS) $(ASAN) -o fuzzer
$(RUN) ./fuzzer
fuzz2: mongoose.c mongoose.h Makefile test/fuzz.c
$(CC) test/fuzz.c test/packed_fs.c -DMAIN $(CFLAGS) -o fuzzer
$(RUN) ./fuzzer /tmp/fuzzdata
test: Makefile mongoose.h $(SRCS)
$(CC) $(SRCS) $(CFLAGS) $(LDFLAGS) -o unit_test
ASAN_OPTIONS=$(ASAN_OPTIONS) $(RUN) ./unit_test

View File

@ -453,7 +453,7 @@ static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
if (left > pkt->pay.len) left = pkt->pay.len; // Don't overflow TX
memset(icmp, 0, sizeof(*icmp)); // Set csum to 0
memcpy(icmp + 1, pkt->pay.buf, left); // Copy RX payload to TX
icmp->csum = ipcsum(icmp, sizeof(*icmp) + pkt->pay.len);
icmp->csum = ipcsum(icmp, sizeof(*icmp) + left);
ifp->driver->tx(ifp->tx.buf, len + left, ifp->driver_data);
}
}

View File

@ -90,9 +90,9 @@ int mg_base64_encode(const unsigned char *p, int n, char *to) {
}
int mg_base64_decode(const char *src, int n, char *dst) {
const char *end = src + n;
const char *end = src == NULL ? NULL : src + n; // Cannot add to NULL
int len = 0;
while (src + 3 < end) {
while (src != NULL && src + 3 < end) {
int a = mg_b64rev(src[0]), b = mg_b64rev(src[1]), c = mg_b64rev(src[2]),
d = mg_b64rev(src[3]);
if (a == 64 || a < 0 || b == 64 || b < 0 || c < 0 || d < 0) return 0;
@ -1542,7 +1542,7 @@ static void mg_http_parse_headers(const char *s, const char *end,
int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
int is_response, req_len = mg_http_get_request_len((unsigned char *) s, len);
const char *end = s + req_len, *qs;
const char *end = s == NULL ? NULL : s + req_len, *qs; // Cannot add to NULL
struct mg_str *cl;
memset(hm, 0, sizeof(*hm));
@ -6715,10 +6715,10 @@ static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
sizeof(struct icmp) + pkt->pay.len);
struct icmp *icmp = (struct icmp *) (ip + 1);
size_t len = PDIFF(ifp->tx.buf, icmp + 1), left = ifp->tx.len - len;
if (left > pkt->pay.len) left = pkt->pay.len;
memset(icmp, 0, sizeof(*icmp)); // Important - set csum to 0
memcpy(icmp + 1, pkt->pay.buf, left);
icmp->csum = ipcsum(icmp, sizeof(*icmp) + pkt->pay.len);
if (left > pkt->pay.len) left = pkt->pay.len; // Don't overflow TX
memset(icmp, 0, sizeof(*icmp)); // Set csum to 0
memcpy(icmp + 1, pkt->pay.buf, left); // Copy RX payload to TX
icmp->csum = ipcsum(icmp, sizeof(*icmp) + left);
ifp->driver->tx(ifp->tx.buf, len + left, ifp->driver_data);
}
}

View File

@ -1,5 +1,5 @@
#include "base64.h"
#include "arch.h"
#include "base64.h"
static int mg_b64idx(int c) {
if (c < 26) {
@ -66,9 +66,9 @@ int mg_base64_encode(const unsigned char *p, int n, char *to) {
}
int mg_base64_decode(const char *src, int n, char *dst) {
const char *end = src + n;
const char *end = src == NULL ? NULL : src + n; // Cannot add to NULL
int len = 0;
while (src + 3 < end) {
while (src != NULL && src + 3 < end) {
int a = mg_b64rev(src[0]), b = mg_b64rev(src[1]), c = mg_b64rev(src[2]),
d = mg_b64rev(src[3]);
if (a == 64 || a < 0 || b == 64 || b < 0 || c < 0 || d < 0) return 0;

View File

@ -1,7 +1,7 @@
#include "http.h"
#include "arch.h"
#include "base64.h"
#include "fmt.h"
#include "http.h"
#include "log.h"
#include "net.h"
#include "ssi.h"
@ -202,7 +202,7 @@ static void mg_http_parse_headers(const char *s, const char *end,
int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
int is_response, req_len = mg_http_get_request_len((unsigned char *) s, len);
const char *end = s + req_len, *qs;
const char *end = s == NULL ? NULL : s + req_len, *qs; // Cannot add to NULL
struct mg_str *cl;
memset(hm, 0, sizeof(*hm));

View File

@ -58,7 +58,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
mg_json_get(mg_str_n((char *) data, size), "$[0]", &n);
if (size > 0) {
struct mip_cfg cfg = {};
struct mip_cfg cfg = {0};
size_t pktlen = 1540;
char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */];
struct mip_if *ifp = (struct mip_if *) t;
@ -85,3 +85,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
return 0;
}
#if defined(MAIN)
int main(int argc, char *argv[]) {
if (argc > 1) {
size_t len = 0;
char *buf = mg_file_read(&mg_fs_posix, argv[1], &len);
if (buf != NULL) LLVMFuzzerTestOneInput((uint8_t *) buf, len);
free(buf);
}
return 0;
}
#endif