[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [SECURITY ADVISORY] c-ares: single byte out of buffer write
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno () hboeck ! de>
Date: 2016-09-29 15:04:03
Message-ID: 20160929170403.7226d30f () hboeck ! de
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Hi,
Just quick:
This is a very typical bug class that libfuzzer can find very well.
libfuzzer is like afl, but for functions instead of executables.
I have attached a sample code for libfuzzer which shows how this works.
(In case anyone cares: Consider it being public domain / CC0 / whatever
licensing terms you like)
Takes only a few seconds without any starting corpus to find this bug.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
[Attachment #5 (text/x-c++src)]
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/nameser.h>
#include <iostream>
#include <ares.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
unsigned char* buf;
int buflen;
char* inp = (char*)malloc(size+1);
inp[size]=0;
memcpy(inp, data, size);
ares_create_query((const char*)inp, ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0);
free(buf);
free(inp);
return 0;
}
[Attachment #6 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic