From 697bb76589531c8361c118326fa7127548d3ab3d Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 1 Feb 2022 13:11:41 +0000
Subject: [PATCH] tests: fuzz client_send_message

to make sure outgoing packets based on incoming packets are fine.
It's just another follow-up to
https://github.com/systemd/systemd/pull/10200.
Better late than never :-)
---
 .../fuzz-dhcp6-client-send.c                  |  59 ++++++++++++++++++
 src/libsystemd-network/meson.build            |   4 ++
 .../12ad30d317800d7f731c1c8bc0854e531d5ef928  | Bin 0 -> 16447 bytes
 ...h-a93b8ba024ada36014c29c25cc90c668fd91ce7f | Bin 0 -> 78 bytes
 .../f202c4dff34d15e41c032a66ed25d89154be1f6d  | Bin 0 -> 76 bytes
 5 files changed, 63 insertions(+)
 create mode 100644 src/libsystemd-network/fuzz-dhcp6-client-send.c
 create mode 100644 test/fuzz/fuzz-dhcp6-client-send/12ad30d317800d7f731c1c8bc0854e531d5ef928
 create mode 100644 test/fuzz/fuzz-dhcp6-client-send/crash-a93b8ba024ada36014c29c25cc90c668fd91ce7f
 create mode 100644 test/fuzz/fuzz-dhcp6-client-send/f202c4dff34d15e41c032a66ed25d89154be1f6d

diff --git a/src/libsystemd-network/fuzz-dhcp6-client-send.c b/src/libsystemd-network/fuzz-dhcp6-client-send.c
new file mode 100644
index 0000000000..48401410f6
--- /dev/null
+++ b/src/libsystemd-network/fuzz-dhcp6-client-send.c
@@ -0,0 +1,59 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "fuzz.h"
+
+#include "sd-dhcp6-client.c"
+
+int dhcp6_network_send_udp_socket(int s, struct in6_addr *server_address,
+                                  const void *packet, size_t len) {
+        return len;
+}
+
+int dhcp6_network_bind_udp_socket(int index, struct in6_addr *local_address) {
+        int fd;
+
+        fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0);
+        assert_se(fd >= 0);
+
+        return fd;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
+        _cleanup_(sd_dhcp6_client_unrefp) sd_dhcp6_client *client = NULL;
+        struct in6_addr address = { { { 0xfe, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x01 } } };
+        triple_timestamp t = {};
+        usec_t time_now;
+        int r;
+
+        if (size < sizeof(DHCP6Message))
+                return 0;
+
+        assert_se(sd_event_new(&e) >= 0);
+        assert_se(sd_dhcp6_client_new(&client) >= 0);
+        assert_se(sd_dhcp6_client_attach_event(client, e, 0) >= 0);
+        assert_se(sd_dhcp6_client_set_ifindex(client, 42) == 0);
+        assert_se(sd_dhcp6_client_set_fqdn(client, "example.com") == 1);
+        assert_se(sd_dhcp6_client_set_request_mud_url(client, "https://www.example.com/mudfile.json") >= 0);
+        assert_se(sd_dhcp6_client_set_request_user_class(client, STRV_MAKE("u1", "u2", "u3")) >= 0);
+        assert_se(sd_dhcp6_client_set_request_vendor_class(client, STRV_MAKE("v1", "v2", "v3")) >= 0);
+        assert_se(sd_dhcp6_client_set_local_address(client, &address) >= 0);
+        assert_se(sd_dhcp6_client_set_information_request(client, false) == 0);
+        dhcp6_client_set_test_mode(client, true);
+        assert_se(sd_dhcp6_client_start(client) >= 0);
+        assert_se(sd_dhcp6_client_set_transaction_id(client, htobe32(0x00ffffff) & ((const DHCP6Message *) data)->transaction_id) == 0);
+
+        triple_timestamp_get(&t);
+        if (client_receive_advertise(client, (DHCP6Message *) data, size, &t, NULL) != DHCP6_STATE_REQUEST)
+                goto cleanup;
+
+        r = sd_event_now(client->event, clock_boottime_or_monotonic(), &time_now);
+        if (r < 0)
+                goto cleanup;
+
+        client->state = DHCP6_STATE_REQUEST;
+        (void) client_send_message(client, time_now);
+cleanup:
+        assert_se(sd_dhcp6_client_stop(client) >= 0);
+        return 0;
+}
diff --git a/src/libsystemd-network/meson.build b/src/libsystemd-network/meson.build
index 853401d5be..a44e8c0824 100644
--- a/src/libsystemd-network/meson.build
+++ b/src/libsystemd-network/meson.build
@@ -113,6 +113,10 @@ fuzzers += [
          [libshared,
           libsystemd_network]],
 
+        [files('fuzz-dhcp6-client-send.c'),
+         [libshared,
+          libsystemd_network]],
+
         [files('fuzz-dhcp-server.c'),
          [libsystemd_network,
           libshared]],
diff --git a/test/fuzz/fuzz-dhcp6-client-send/12ad30d317800d7f731c1c8bc0854e531d5ef928 b/test/fuzz/fuzz-dhcp6-client-send/12ad30d317800d7f731c1c8bc0854e531d5ef928
new file mode 100644
index 0000000000000000000000000000000000000000..c140fc0212125851575541a17ca11226c9811f1a
GIT binary patch
literal 16447
zcmeHOO=ule6h1RA<4c0p3a!mcL{c@{KjFn1NuCsmJ7dkJxCm4fEv34!wEln#+afMP
zh2o~Ts5>|QtP~gWL=mBNBSk1ws8pe(t1N^f78>jIJNIYa+?hLn@4a9W=90Xb`*VKo
zIp>}^_uLu3MqKL8(l|};Cu-2ng{84Mu_Bg*5JzZ~8g<-=+n+b(K&tOPJ4qvSpHF+p
ze@fg<UY+O~P1EuE2b2bSu-OE76x1sU8lmc|d!k9)jC@bS%<R?Y=l%qjME(V$W$-PS
zXQBb}<nYB4Le#~aIEe{GIyEXmJDBHx0VR&{>`%!lL<R@IqzYsDi^hNnWm%I^T{k7<
zA;>KP2_AT)5Z<8VVTn$1&4#@GwPJW|4wys=4?LR$4}ZikDIQpNHV;I@46Ec2<w41Z
zC#?&3(DFcof6u9xUGj+V0tAn`${sWV!wC5pF`~%~7;>6e5InFc2!dMy9VZW(MfV{8
zL=d(*_l(jm{tEPsB2}$$E}rnOHa&WTYQj6XEY4{=;7+5h&^Y2kf$VL?loN)?H4aNL
zLhB(-#6BIaV;;N4CnkQoa^;r^6rRP?6QeNhQMPvc!j>9Cm$z|6jE;=T(wgBa%A%Pu
z?(ZjSGHhi-4QiA(IV~eNi_IC%!t))@;_Y|u-OhZi0cY_(*kETt{w&OH5H{zpFl(?x
z;RUFv25wg-wo_iYj#1vCyr6;x2}BYofv^J~f}e_jGq9&n8I=AV+z6beL{><+KA2a9
z+At(nBv(GwONf_-w~u_eo;u?hb*#ordrZwxI>xx|c}g<;V}umWmjyKo1W`I)+G42{
z5ep~|0Tr0mqzO<R<hwO-zTm&4%rV}`H^i@1m?`h69tyaO$^<iOMa#ZO#aPptF@>$Y
zn1WP})DeAn;|w+Vv1P2^yAe|a>vLsaQGNbIn^=EpiPS=@a!EcRQ9;p~8ZH-E@3`VZ
zRHM&Ajo3>=F~^Hu8fwg#WuxxX$ZT8EbZwLDSg!8o3;yj<<j*p-$Pnfrix`F%F<fAb
z86R3A7FX`}a%}h(Rbs8_)#>!Eu;)g2*Xzy0Lfq^XhXcOpXe-myE;?9;VzB@Y`a@9x
zoOzB$1Gz>#X6^dP9)^OYgUJxm3N;D@k$FM26*sA9FDeg94v^9~i^}4mR8ZZC0v!=|
zr;~{gr3(qMFNzMivm*O0HFdg7kzp|NV>rH^+#~o0XfK!^sIkMu)yFj}{2x@a%iIo?
z)SP6nUz*ztY>tq8N)j=0a4;C(79hq>i_xP7ayx5V=prNe(Dvcl7Fu$!R#8z`Vvpk`
z<GuCGS9WVot=($%uuBL%Li#dE*_eiq=~9S!NTpVX!nMBBmulrp%D9r#l`jc1IF&ES
zaUWJUd`Y*Z0BBk)t+PWpex{#prkD?U-OfcO`ExyV>WAUY3MSRID8B{(xfifgXS%jV
z(sU+W%dR?-wCXL2OLzE8#u*!^4ig(VVkAdwkeV`dXQ8cN6+wHsgm3ZiGigt$jAFx?
zpXkks(JO<u7gv5>dP5p~0Xyn*jyxKFXYE6tNygtbPoDbFF0A>0M*bPca^0~&H7teK
za?U)GO924^%CCGTB@2hUiGw2Jj#FY`1=;O$2;^di7b#>)or!^`w5{_hpNV06Djx)p
zhvp%5K1y(EBPGP}dkIN6Wy)tJu75Q1{@0m150m^B>^7W)NK`jn+f59WCBlC7<nJ8N
z_0thz&zR{DGCLDm!g8|CimP-^;#{2Nowa$EGPPD;nl~w+xhkDwZ=P82RXQj6V9&J3
zaW=_*StR2s7W!7cMEQA^nAu&G)SQIum*y&8(jQ-9V<}#1=MU{Ionx=@YI`eJkNN4m
z>akj{UG+1n3-@(ZKF6FUmOCvfe@;^Dp;m2UR%aWtW(<Dq=5y4`4#^{I<>4IW%juaa
zLBlezv%o4VaVQ~49+~~p@<vY3e7uDd3F3O{(UClwQO1_~PV+iBehHH%{W*8(^Ftak
zE_`_9e|up6vQ!GT#`p^^J(eiwRv$a4okaLRRap%3PqNvoC6aid%J}6cT}vo;H&cXy
z%yk+vVB>Kb-Fj<ruQIeq0@2=1D$FYXxfG^L9iK7iBny9tAwR|#<H?%o=44<vzkDZ!
z-xZ9T_v(l7I(Pg{_Txw2IC}Wa{1D$7!2(Qva3VA6oB68|bh68N2b$f446OxQw!#v7
z@yNNE*_rJu+dX{fI39n?(IAbHQtGM9T)T^S0<ar1U!PW<cxJ+q&R#NB^WFLL=gqx!
z_3cu#t6kSD8hx&`)A8w7fnyg)V%>OI*ztPwv6c0~C}U<<zS?Tlzksni?VCNBH~IIl
zvop2v!PFkzvC|Bw^D$!zZ8Jt*LkO$&f2=(B>MI-i5r5$amvDcMdvyDqk7TXR2gwb(
zYa!WHqQ%9EZd+{&%^<zOyXGh7xqK2WGgD$}QlLe4&Cg%NwTu|rWd@fYD~+Lxx4X+z
zQV{KK0n^}=SW|j~GXqVzsZ$?o;Z}Z0h82c+<8`YJ*iz><aR(CDxN%pa$29zIZt|}D
z%#gv_m=4*<4&7d`t0ilS`j2@`6zQK!3~DD@xPf+0*C_C6<P9Kr3nm9%dI&j?KvtYL
Ncy?X$hG^`g{{WcIrKJD>

literal 0
HcmV?d00001

diff --git a/test/fuzz/fuzz-dhcp6-client-send/crash-a93b8ba024ada36014c29c25cc90c668fd91ce7f b/test/fuzz/fuzz-dhcp6-client-send/crash-a93b8ba024ada36014c29c25cc90c668fd91ce7f
new file mode 100644
index 0000000000000000000000000000000000000000..2bf4027c0c7c0514bbc4440a52384575b1bd25fb
GIT binary patch
literal 78
zcmZQ#aA#m(W^jvqBJIW5_5Z#0|Nl}9tPGNq82&Rb{O4FLm{`uh%U~ky$N-l72bYYD
WiImi2kbdID00itGes5s~Y5@SU(it8A

literal 0
HcmV?d00001

diff --git a/test/fuzz/fuzz-dhcp6-client-send/f202c4dff34d15e41c032a66ed25d89154be1f6d b/test/fuzz/fuzz-dhcp6-client-send/f202c4dff34d15e41c032a66ed25d89154be1f6d
new file mode 100644
index 0000000000000000000000000000000000000000..9d8994dec4f1efb01e5f175784ef71ba77ee8331
GIT binary patch
literal 76
zcmZR2$-uzC$iT<I#K5pxFtOa>p0Ly5ML-@S0|PUIM&uJ|F9v<R|3JXVz{((jT>&E_
J13Lrbe*m<55;*_>

literal 0
HcmV?d00001