diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2019-12-13 22:41:10 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2019-12-18 06:39:26 +0000 |
| commit | 66d12eb98aba10948f829d08b4144969ead5ddbb (patch) | |
| tree | 07b43c9d664f975ccc36df30ed9053a7cbd57eae /lib | |
| parent | 1141fbe9842c57fca7ee1175665638a0c1f5a181 (diff) | |
| download | samba-66d12eb98aba10948f829d08b4144969ead5ddbb.tar.gz | |
lib/fuzzing: Initialise st buffer in fuzz_ndr_X
An NDR pull of a function will fill in either the in. or out.
elements of this structure, but never both.
However, some structures have size_is() in the out. that reference
the in. elements. This is the reason for the --context-file option
in ndrdump.
We have a special handler in the fuzzing case embedded in the
pidl-generated output to cope with this, by filling in pointers
for elements declared [ref,in] but it relies on the in-side
(at least) of the buffer being zeroed.
So zero the buffer before we start. Sadly this means things
like valgrind can not find a use of uninitialised data, but that
is a price we have to pay.
Credit to OSS-Fuzz
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/fuzzing/fuzz_ndr_X.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/fuzzing/fuzz_ndr_X.c b/lib/fuzzing/fuzz_ndr_X.c index 5fc21dcef26..e8c3bb4cf76 100644 --- a/lib/fuzzing/fuzz_ndr_X.c +++ b/lib/fuzzing/fuzz_ndr_X.c @@ -251,6 +251,16 @@ int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) { TALLOC_FREE(mem_ctx); return 0; } + + /* + * We must initialise the buffer (even if we would + * prefer not to for the sake of eg valgrind) as + * otherwise the special handler for 'out pointer with + * [size_is()] refers to in value with [ref]' fails to + * trigger + */ + memset(st, '\0', sizeof(st)); + ndr_pull->flags |= LIBNDR_FLAG_REF_ALLOC; if (type == TYPE_OUT) { |