Merge branch 'wip/pwithnall/resolver-fuzzing' into 'main'

fuzzing: Add a fuzz test for parsing DNS records

See merge request GNOME/glib!2396

fuzzing/fuzz_resolver.c

@@ -0,0 +1,53 @@
+#include "fuzz.h"
+#include "gio/gnetworking.h"
+
+#include "../gio/gthreadedresolver.h"
+
+static void
+test_for_rrtype (const guint8 *data,
+                 gsize         data_len,
+                 gint          rrtype)
+{
+  /* g_resolver_records_from_res_query() is only available on Unix */
+#ifdef G_OS_UNIX
+  GList *record_list = NULL;
+
+  /* Data too long? */
+  if (data_len > G_MAXSSIZE)
+    return;
+
+  /* rrname is only used in error messages, so doesn’t need to vary.
+   * herr is used similarly, so is just set to zero. */
+  record_list = g_resolver_records_from_res_query ("rrname",
+                                                   rrtype,
+                                                   data,
+                                                   data_len,
+                                                   0,
+                                                   NULL);
+
+  g_list_free_full (record_list, (GDestroyNotify) g_variant_unref);
+#endif  /* G_OS_UNIX */
+}
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+  const gint rrtypes_to_test[] =
+    {
+      /* See https://en.wikipedia.org/wiki/List_of_DNS_record_types */
+      33  /* SRV */,
+      15  /* MX */,
+      6  /* SOA */,
+      2  /* NS */,
+      16  /* TXT */,
+      999,  /* not currently a valid rrtype, to test the ‘unknown’ code path */
+    };
+  gsize i;
+
+  fuzz_set_logging_func ();
+
+  for (i = 0; i < G_N_ELEMENTS (rrtypes_to_test); i++)
+    test_for_rrtype (data, size, rrtypes_to_test[i]);
+
+  return 0;
+}

fuzzing/meson.build

@@ -11,6 +11,7 @@ fuzz_targets = [
   'fuzz_network_address_parse',
   'fuzz_network_address_parse_uri',
   'fuzz_paths',
+  'fuzz_resolver',
   'fuzz_uri_escape',
   'fuzz_uri_parse',
   'fuzz_uri_parse_params',

gio/gthreadedresolver.c

@@ -530,9 +530,9 @@ typedef enum __ns_type {
 #endif /* __BIONIC__ */
 
 static GVariant *
-parse_res_srv (guchar  *answer,
-               guchar  *end,
-               guchar **p)
+parse_res_srv (const guint8  *answer,
+               const guint8  *end,
+               const guint8 **p)
 {
   gchar namebuf[1024];
   guint16 priority, weight, port;
@@ -550,9 +550,9 @@ parse_res_srv (guchar  *answer,
 }
 
 static GVariant *
-parse_res_soa (guchar  *answer,
-               guchar  *end,
-               guchar **p)
+parse_res_soa (const guint8  *answer,
+               const guint8  *end,
+               const guint8 **p)
 {
   gchar mnamebuf[1024];
   gchar rnamebuf[1024];
@@ -578,9 +578,9 @@ parse_res_soa (guchar  *answer,
 }
 
 static GVariant *
-parse_res_ns (guchar  *answer,
-              guchar  *end,
-              guchar **p)
+parse_res_ns (const guint8  *answer,
+              const guint8  *end,
+              const guint8 **p)
 {
   gchar namebuf[1024];
 
@@ -590,9 +590,9 @@ parse_res_ns (guchar  *answer,
 }
 
 static GVariant *
-parse_res_mx (guchar  *answer,
-              guchar  *end,
-              guchar **p)
+parse_res_mx (const guint8  *answer,
+              const guint8  *end,
+              const guint8 **p)
 {
   gchar namebuf[1024];
   guint16 preference;
@@ -607,13 +607,13 @@ parse_res_mx (guchar  *answer,
 }
 
 static GVariant *
-parse_res_txt (guchar  *answer,
-               guchar  *end,
-               guchar **p)
+parse_res_txt (const guint8  *answer,
+               const guint8  *end,
+               const guint8 **p)
 {
   GVariant *record;
   GPtrArray *array;
-  guchar *at = *p;
+  const guint8 *at = *p;
   gsize len;
 
   array = g_ptr_array_new_with_free_func (g_free);
@@ -652,19 +652,19 @@ g_resolver_record_type_to_rrtype (GResolverRecordType type)
   g_return_val_if_reached (-1);
 }
 
-static GList *
+GList *
 g_resolver_records_from_res_query (const gchar      *rrname,
                                    gint              rrtype,
-                                   guchar           *answer,
-                                   gint              len,
+                                   const guint8     *answer,
+                                   gssize            len,
                                    gint              herr,
                                    GError          **error)
 {
   gint count;
   gchar namebuf[1024];
-  guchar *end, *p;
+  const guint8 *end, *p;
   guint16 type, qclass, rdlength;
-  HEADER *header;
+  const HEADER *header;
   GList *records;
   GVariant *record;
 

gio/gthreadedresolver.h

@@ -42,6 +42,15 @@ typedef struct {
 GLIB_AVAILABLE_IN_ALL
 GType g_threaded_resolver_get_type (void) G_GNUC_CONST;
 
+/* Used for a private test API */
+GLIB_AVAILABLE_IN_ALL
+GList *g_resolver_records_from_res_query (const gchar      *rrname,
+                                          gint              rrtype,
+                                          const guint8     *answer,
+                                          gssize            len,
+                                          gint              herr,
+                                          GError          **error);
+
 G_END_DECLS
 
 #endif /* __G_RESOLVER_H__ */