From b6e8a4f2b639c92f13af3a51d058cc01b67e9527 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Fri, 25 Nov 2022 19:32:04 +0000
Subject: [PATCH 1/4] tests: add a file triggering crash in type_bitmap_to_json

It's a follow-up to https://github.com/systemd/systemd/pull/25518
---
 .../fuzz-resource-record/crash-type-bitmap-to-json | Bin 0 -> 12 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 test/fuzz/fuzz-resource-record/crash-type-bitmap-to-json

diff --git a/test/fuzz/fuzz-resource-record/crash-type-bitmap-to-json b/test/fuzz/fuzz-resource-record/crash-type-bitmap-to-json
new file mode 100644
index 0000000000000000000000000000000000000000..a7d5b430dda21a719fe415c1fb68c63012b6f7c3
GIT binary patch
literal 12
QcmZQz&}U#|00Bk@00Ha(G5`Po

literal 0
HcmV?d00001


From ae8654f9e65cdaf658de1d4908a2e67d8c40946c Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Fri, 25 Nov 2022 20:00:30 +0000
Subject: [PATCH 2/4] tests: fuzz dns resource records

It should help to catch issues like https://github.com/systemd/systemd/issues/19584,
https://github.com/systemd/systemd/issues/25449.
---
 src/resolve/fuzz-resource-record.c | 35 ++++++++++++++++++++++++++++++
 src/resolve/meson.build            |  5 +++++
 2 files changed, 40 insertions(+)
 create mode 100644 src/resolve/fuzz-resource-record.c

diff --git a/src/resolve/fuzz-resource-record.c b/src/resolve/fuzz-resource-record.c
new file mode 100644
index 00000000000..15c465933da
--- /dev/null
+++ b/src/resolve/fuzz-resource-record.c
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "fd-util.h"
+#include "fuzz.h"
+#include "memory-util.h"
+#include "resolved-dns-packet.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        _cleanup_free_ char *out = NULL; /* out should be freed after f */
+        size_t out_size;
+        _cleanup_fclose_ FILE *f = NULL;
+        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL, *copy = NULL;
+        _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+
+        if (outside_size_range(size, 0, DNS_PACKET_SIZE_MAX))
+                return 0;
+
+        if (dns_resource_record_new_from_raw(&rr, data, size) < 0)
+                return 0;
+
+        assert_se(copy = dns_resource_record_copy(rr));
+        assert_se(dns_resource_record_equal(copy, rr) > 0);
+
+        assert_se(f = open_memstream_unlocked(&out, &out_size));
+        (void) fprintf(f, "%s", strna(dns_resource_record_to_string(rr)));
+
+        if (dns_resource_record_to_json(rr, &v) < 0)
+                return 0;
+
+        (void) json_variant_dump(v, JSON_FORMAT_PRETTY|JSON_FORMAT_COLOR|JSON_FORMAT_SOURCE, f, NULL);
+        (void) dns_resource_record_to_wire_format(rr, false);
+        (void) dns_resource_record_to_wire_format(rr, true);
+
+        return 0;
+}
diff --git a/src/resolve/meson.build b/src/resolve/meson.build
index e11aefce7ac..cd02c880396 100644
--- a/src/resolve/meson.build
+++ b/src/resolve/meson.build
@@ -237,6 +237,11 @@ fuzzers += [
           libshared],
          [lib_openssl_or_gcrypt,
           libm]],
+        [files('fuzz-resource-record.c'),
+         [libsystemd_resolve_core,
+          libshared],
+         [lib_openssl_or_gcrypt,
+          libm]],
 ]
 
 systemd_resolved_sources += files('resolved.c')

From 49f936cd0a8c575c03a3ed570b7a372f420f2cca Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sat, 26 Nov 2022 11:57:22 +0000
Subject: [PATCH 3/4] tests: add a file triggering "applying zero offset to
 null pointer"

```
../src/basic/hexdecoct.c:66:44: runtime error: applying zero offset to null pointer
    #0 0x7f6022650c44 in hexmem /home/vagrant/systemd/build-fuzzers/../src/basic/hexdecoct.c:66:44
    #1 0x577583 in dns_resource_record_to_string /home/vagrant/systemd/build-fuzzers/../src/resolve/resolved-dns-rr.c:1140:21
    #2 0x563669 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build-fuzzers/../src/resolve/fuzz-resource-record.c:25:39
    #3 0x44d2a1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-resource-record+0x44d2a1) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89)
    #4 0x42d32f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-resource-record+0x42d32f) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89)
    #5 0x434920 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-resource-record+0x434920) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89)
    #6 0x424006 in main (/home/vagrant/systemd/out/fuzz-resource-record+0x424006) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89)
    #7 0x7f602142950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) (BuildId: 85c438f4ff93e21675ff174371c9c583dca00b2c)
    #8 0x7f60214295c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x295c8) (BuildId: 85c438f4ff93e21675ff174371c9c583dca00b2c)
    #9 0x424044 in _start (/home/vagrant/systemd/out/fuzz-resource-record+0x424044) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/basic/hexdecoct.c:66:44 in
```
---
 .../fuzz/fuzz-resource-record/ub-zero-length-rdata | Bin 0 -> 11 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 test/fuzz/fuzz-resource-record/ub-zero-length-rdata

diff --git a/test/fuzz/fuzz-resource-record/ub-zero-length-rdata b/test/fuzz/fuzz-resource-record/ub-zero-length-rdata
new file mode 100644
index 0000000000000000000000000000000000000000..b5301ee20cf35fce39bcbd378a972c1aa09c72b5
GIT binary patch
literal 11
NcmZQzWZ+?d0001W01f~E

literal 0
HcmV?d00001


From 84f788d6699f289160d7cb3823c1bf9a3826f11f Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sat, 26 Nov 2022 12:02:46 +0000
Subject: [PATCH 4/4] resolve: format zero-length RDATA according to rfc3597

If the RDATA is of zero length, the text representation contains only
the \# token and the single zero representing the length.
---
 src/resolve/resolved-dns-rr.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
index d47cdbbd8e2..f4fa219ab7c 100644
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -1137,12 +1137,15 @@ const char *dns_resource_record_to_string(DnsResourceRecord *rr) {
                 break;
 
         default:
-                t = hexmem(rr->generic.data, rr->generic.data_size);
-                if (!t)
-                        return NULL;
-
                 /* Format as documented in RFC 3597, Section 5 */
-                r = asprintf(&s, "%s \\# %zu %s", k, rr->generic.data_size, t);
+                if (rr->generic.data_size == 0)
+                        r = asprintf(&s, "%s \\# 0", k);
+                else {
+                        t = hexmem(rr->generic.data, rr->generic.data_size);
+                        if (!t)
+                                return NULL;
+                        r = asprintf(&s, "%s \\# %zu %s", k, rr->generic.data_size, t);
+                }
                 if (r < 0)
                         return NULL;
                 break;