b4563a2490
The encoder, being cautious not to overstep the arbitrary 10000 byte boundary, might not encode an exactly 10000 byte condition. This is an off-by-one, but in the safe direction. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65118 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Dec 22 00:51:13 UTC 2023 on atb-devel-224 |
||
|---|---|---|
| .. | ||
| oss-fuzz | ||
| patches | ||
| afl-fuzz-main.c | ||
| decode_ndr_X_crash | ||
| fuzz_cli_credentials_parse_string.c | ||
| fuzz_conditional_ace_blob.c | ||
| fuzz_dcerpc_parse_binding.c | ||
| fuzz_ldap_decode.c | ||
| fuzz_ldb_comparison_fold.c | ||
| fuzz_ldb_dn_explode.c | ||
| fuzz_ldb_ldif_read.c | ||
| fuzz_ldb_parse_binary_decode.c | ||
| fuzz_ldb_parse_control.c | ||
| fuzz_ldb_parse_tree.c | ||
| fuzz_lzxpress_compress.c | ||
| fuzz_lzxpress_huffman_compress.c | ||
| fuzz_lzxpress_huffman_decompress.c | ||
| fuzz_lzxpress_huffman_round_trip.c | ||
| fuzz_lzxpress_round_trip.c | ||
| fuzz_lzxpress.c | ||
| fuzz_ndr_X.c | ||
| fuzz_nmblib_parse_packet.c | ||
| fuzz_oLschema2ldif.c | ||
| fuzz_parse_lpq_entry.c | ||
| fuzz_reg_parse.c | ||
| fuzz_regfio.c | ||
| fuzz_sddl_access_check.c | ||
| fuzz_sddl_conditional_ace.c | ||
| fuzz_sddl_parse.c | ||
| fuzz_security_token_vs_descriptor.c | ||
| fuzz_sess_crypt_blob.c | ||
| fuzz_stable_sort_r.c | ||
| fuzz_stable_sort.c | ||
| fuzz_tiniparser.c | ||
| fuzzing.c | ||
| fuzzing.h | ||
| README.md | ||
| wscript_build | ||
Fuzzing Samba
See also https://wiki.samba.org/index.php/Fuzzing
Fuzzing supplies valid, invalid, unexpected or random data as input to a piece of code. Instrumentation, usually compiler-implemented, is used to monitor for exceptions such as crashes, assertions or memory corruption.
See Wikipedia article on fuzzing for more information.
Honggfuzz
Configure with fuzzing
Example command line to build binaries for use with honggfuzz:
./configure -C --without-gettext --enable-debug --enable-developer \
--address-sanitizer --enable-libfuzzer --abi-check-disable \
CC=.../honggfuzz/hfuzz_cc/hfuzz-clang \
LINK_CC=.../honggfuzz/hfuzz_cc/hfuzz-clang
Fuzzing tiniparser
Example for fuzzing tiniparser using honggfuzz (see --help for more
options):
make bin/fuzz_tiniparser && \
.../honggfuzz/honggfuzz --sanitizers --timeout 3 --max_file_size 256 \
--rlimit_rss 100 -f .../tiniparser-corpus -- bin/fuzz_tiniparser
AFL (american fuzzy lop)
Configure with fuzzing
Example command line to build binaries for use with afl
./configure -C --without-gettext --enable-debug --enable-developer \
--enable-afl-fuzzer --abi-check-disable \
CC=afl-gcc
Fuzzing tiniparser
Example for fuzzing tiniparser using afl-fuzz (see --help for more
options):
make bin/fuzz_tiniparser build && \
afl-fuzz -m 200 -i inputdir -o outputdir -- bin/fuzz_tiniparser
oss-fuzz
Samba can be fuzzed by Google's oss-fuzz system. Assuming you have an oss-fuzz checkout from https://github.com/google/oss-fuzz with Samba's metadata in projects/samba, the following guides will help:
Testing locally
https://google.github.io/oss-fuzz/getting-started/new-project-guide/#testing-locally
Debugging oss-fuzz
See https://google.github.io/oss-fuzz/advanced-topics/debugging/
Samba-specific hints
A typical debugging workflow is:
oss-fuzz$ python infra/helper.py shell samba git fetch $REMOTE $BRANCH git checkout FETCH_HEAD lib/fuzzing/oss-fuzz/build_image.sh compile
This will pull in any new Samba deps and build Samba's fuzzers.