tests: fuzz client_handle_offer

Turns out that part of systemd isn't covered by any fuzz targets and that's not ideal considering that it parses data sent remotely. The fuzzer triggers an infinite loop in lease_parse_routes as soon as it starts so it seems to be working :-) ``` INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 23620602 INFO: Loaded 2 modules (182073 inline 8-bit counters): 176548 [0x7fdf511fc8d0, 0x7fdf51227a74), 5525 [0x5f6ef0, 0x5f8485), INFO: Loaded 2 PC tables (182073 PCs): 176548 [0x7fdf51227a78,0x7fdf514d94b8), 5525 [0x5f8488,0x60ddd8), ./build/fuzz-dhcp-client: Running 1 inputs 1 time(s) each. Running: test/fuzz/fuzz-dhcp-client/timeout-ed34161922c7075c4773f2ada3dee8685d220980 ALARM: working on the last Unit for 31 seconds and the timeout value is 30 (use -timeout=N to change) ==80731== ERROR: libFuzzer: timeout after 31 seconds #0 0x51b32e in __sanitizer_print_stack_trace (/home/vagrant/systemd/build/fuzz-dhcp-client+0x51b32e) #1 0x4689e9 in fuzzer::PrintStackTrace() (/home/vagrant/systemd/build/fuzz-dhcp-client+0x4689e9) #2 0x44a0f4 in fuzzer::Fuzzer::StaticAlarmCallback() (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a0f4) #3 0x7fdf4f8b474f (/lib64/libc.so.6+0x4274f) #4 0x465fee in __sanitizer_cov_trace_const_cmp4 (/home/vagrant/systemd/build/fuzz-dhcp-client+0x465fee) #5 0x57eee5 in lease_parse_routes /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:495:23 #6 0x57baf3 in dhcp_lease_parse_options /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:701:21 #7 0x572450 in parse_options /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:348:33 #8 0x571cea in dhcp_option_parse /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:381:21 #9 0x559a01 in client_handle_offer /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-client.c:1543:13 #10 0x5592bd in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/libsystemd-network/fuzz-dhcp-client.c:78:9 #11 0x44a379 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a379) #12 0x42ae1f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x42ae1f) #13 0x432ade in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x432ade) #14 0x421f86 in main (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421f86) #15 0x7fdf4f89f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #16 0x7fdf4f89f60b in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2d60b) #17 0x421fd4 in _start (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421fd4) SUMMARY: libFuzzer: timeout ```
author: Evgeny Vereshchagin <evvers@ya.ru> 2022-01-28 20:35:38 +0000
committer: Evgeny Vereshchagin <evvers@ya.ru> 2022-01-29 00:59:56 +0000
commit: 4158af36510bf2d03be30867f0d81bdc77d74680 (patch)
tree: b5024445e4053c3ec269f97a64962f79f71da3f1
parent: test: add missing oom check (diff)
download: systemd-4158af36510bf2d03be30867f0d81bdc77d74680.tar.xz
systemd-4158af36510bf2d03be30867f0d81bdc77d74680.zip
3 files changed, 83 insertions, 0 deletions
diff --git a/src/libsystemd-network/fuzz-dhcp-client.c b/src/libsystemd-network/fuzz-dhcp-client.c
new file mode 100644
index 00000000000..1812a61950e
--- /dev/null
+++ b/src/libsystemd-network/fuzz-dhcp-client.c
@@ -0,0 +1,79 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <errno.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+#include "alloc-util.h"
+#include "fuzz.h"
+#include "sd-event.h"
+
+#include "sd-dhcp-client.c"
+
+int dhcp_network_bind_raw_socket(
+                int ifindex,
+                union sockaddr_union *link,
+                uint32_t id,
+                const uint8_t *addr, size_t addr_len,
+                const uint8_t *bcaddr, size_t bcaddr_len,
+                uint16_t arp_type, uint16_t port) {
+
+        int fd;
+        fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0);
+        if (fd < 0)
+                return -errno;
+
+        return fd;
+}
+
+int dhcp_network_send_raw_socket(int s, const union sockaddr_union *link, const void *packet, size_t len) {
+        return len;
+}
+
+int dhcp_network_bind_udp_socket(int ifindex, be32_t address, uint16_t port, int ip_service_type) {
+        int fd;
+
+        fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0);
+        if (fd < 0)
+                return -errno;
+
+        return fd;
+}
+
+int dhcp_network_send_udp_socket(int s, be32_t address, uint16_t port, const void *packet, size_t len) {
+        return len;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        uint8_t mac_addr[] = {'A', 'B', 'C', '1', '2', '3'};
+        uint8_t bcast_addr[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
+        _cleanup_(sd_dhcp_client_unrefp) sd_dhcp_client *client = NULL;
+        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
+        int res, r;
+
+        if (!getenv("SYSTEMD_LOG_LEVEL"))
+                log_set_max_level(LOG_CRIT);
+
+        r = sd_dhcp_client_new(&client, false);
+        assert_se(r >= 0);
+        assert_se(client);
+
+        assert_se(sd_event_new(&e) >= 0);
+
+        r = sd_dhcp_client_attach_event(client, e, 0);
+        assert_se(r >= 0);
+
+        assert_se(sd_dhcp_client_set_ifindex(client, 42) >= 0);
+        assert_se(sd_dhcp_client_set_mac(client, mac_addr, bcast_addr, ETH_ALEN, ARPHRD_ETHER) >= 0);
+        dhcp_client_set_test_mode(client, true);
+
+        res = sd_dhcp_client_start(client);
+        assert_se(IN_SET(res, 0, -EINPROGRESS));
+        client->xid = 2;
+
+        (void) client_handle_offer(client, (DHCPMessage*) data, size);
+
+        assert_se(sd_dhcp_client_stop(client) >= 0);
+
+        return 0;
+}
diff --git a/src/libsystemd-network/meson.build b/src/libsystemd-network/meson.build
index 3f5e11e7f55..853401d5be8 100644
--- a/src/libsystemd-network/meson.build
+++ b/src/libsystemd-network/meson.build
@@ -105,6 +105,10 @@ tests += [
 ]
 
 fuzzers += [
+        [files('fuzz-dhcp-client.c'),
+         [libshared,
+          libsystemd_network]],
+
         [files('fuzz-dhcp6-client.c'),
          [libshared,
           libsystemd_network]],
diff --git a/test/fuzz/fuzz-dhcp-client/timeout-ed34161922c7075c4773f2ada3dee8685d220980 b/test/fuzz/fuzz-dhcp-client/timeout-ed34161922c7075c4773f2ada3dee8685d220980
new file mode 100644
index 00000000000..a51cf70dd0f
--- /dev/null
+++ b/test/fuzz/fuzz-dhcp-client/timeout-ed34161922c7075c4773f2ada3dee8685d220980
author	Evgeny Vereshchagin <evvers@ya.ru>	2022-01-28 20:35:38 +0000
committer	Evgeny Vereshchagin <evvers@ya.ru>	2022-01-29 00:59:56 +0000
commit	4158af36510bf2d03be30867f0d81bdc77d74680 (patch)
tree	b5024445e4053c3ec269f97a64962f79f71da3f1
parent	test: add missing oom check (diff)
download	systemd-4158af36510bf2d03be30867f0d81bdc77d74680.tar.xz systemd-4158af36510bf2d03be30867f0d81bdc77d74680.zip