[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [SECURITY ADVISORY] c-ares: single byte out of buffer write
From:       Hanno =?UTF-8?B?QsO2Y2s=?= <hanno () hboeck ! de>
Date:       2016-09-29 15:04:03
Message-ID: 20160929170403.7226d30f () hboeck ! de
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hi,

Just quick:
This is a very typical bug class that libfuzzer can find very well.
libfuzzer is like afl, but for functions instead of executables.

I have attached a sample code for libfuzzer which shows how this works.
(In case anyone cares: Consider it being public domain / CC0 / whatever
licensing terms you like)

Takes only a few seconds without any starting corpus to find this bug.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

[Attachment #5 (text/x-c++src)]

#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/nameser.h>
#include <iostream>

#include <ares.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
	unsigned char* buf;
	int buflen;
	char* inp = (char*)malloc(size+1);
	inp[size]=0;
	memcpy(inp, data, size);

	ares_create_query((const char*)inp, ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0);

	free(buf);
	free(inp);
	return 0;
}

[Attachment #6 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]