Help detecting Valgrind OOB reads and other issues.
Conditional jump or move depends on uninitialised value(s)
at 0x5452886: blobmsg_parse (blobmsg.c:203)
by 0x400A8E: test_blobmsg (tests/test-blobmsg-parse.c:66)
by 0x400A8E: main (tests/test-blobmsg-parse.c:82)
Conditional jump or move depends on uninitialised value(s)
at 0x545247F: blobmsg_check_name (blobmsg.c:39)
by 0x545247F: blobmsg_check_attr_len (blobmsg.c:79)
by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
by 0x400AB8: main (tests/test-blobmsg-parse.c:82)
Conditional jump or move depends on uninitialised value(s)
at 0x54524A0: blobmsg_check_name (blobmsg.c:42)
by 0x54524A0: blobmsg_check_attr_len (blobmsg.c:79)
by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
by 0x400AB8: main (tests/test-blobmsg-parse.c:82)
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/021204.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
blob_parse_untrusted(buf, size, foo, foo_policy, __FOO_ATTR_MAX);
}
blob_parse_untrusted(buf, size, foo, foo_policy, __FOO_ATTR_MAX);
}
-int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size)
+ uint8_t *data;
+
+ data = malloc(size);
+ if (!data)
+ return -1;
+
+ memcpy(data, input, size);
fuzz_blob_parse(data, size);
fuzz_blobmsg_parse(data, size);
fuzz_blob_parse(data, size);
fuzz_blobmsg_parse(data, size);
#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <string.h>
static void test_b64_encode(const char *src)
{
static void test_b64_encode(const char *src)
{
- char dst[255] = {0};
- int r = b64_encode(src, strlen(src), dst, sizeof(dst));
+ char *dst = malloc(BUF_LEN+1);
+ int r = b64_encode(src, strlen(src), dst, BUF_LEN);
fprintf(stdout, "%d %s\n", r, dst);
fprintf(stdout, "%d %s\n", r, dst);
}
static void test_b64_decode(const char *src)
{
}
static void test_b64_decode(const char *src)
{
- char dst[255] = {0};
- int r = b64_decode(src, dst, sizeof(dst));
+ char *dst = malloc(BUF_LEN+1);
+ int r = b64_decode(src, dst, BUF_LEN);
fprintf(stdout, "%d %s\n", r, dst);
fprintf(stdout, "%d %s\n", r, dst);
struct blob_attr *certtb[CERT_ATTR_MAX];
struct blob_attr *bufpt;
struct cert_object *cobj;
struct blob_attr *certtb[CERT_ATTR_MAX];
struct blob_attr *bufpt;
struct cert_object *cobj;
- char filebuf[CERT_BUF_LEN];
int ret = 0, pret = 0;
size_t len, pos = 0;
int ret = 0, pret = 0;
size_t len, pos = 0;
- len = fread(&filebuf, 1, CERT_BUF_LEN - 1, f);
- if (len < 64)
+ filebuf = malloc(CERT_BUF_LEN+1);
+ if (!filebuf)
+ len = fread(filebuf, 1, CERT_BUF_LEN, f);
+ if (len < 64) {
+ free(filebuf);
+ return 1;
+ }
+
ret = ferror(f) || !feof(f);
fclose(f);
ret = ferror(f) || !feof(f);
fclose(f);
+ if (ret) {
+ free(filebuf);
bufpt = (struct blob_attr *)filebuf;
do {
bufpt = (struct blob_attr *)filebuf;
do {
/* repeat parsing while there is still enough remaining data in buffer */
} while(len > pos + sizeof(struct blob_attr) && (bufpt = blob_next(bufpt)));
/* repeat parsing while there is still enough remaining data in buffer */
} while(len > pos + sizeof(struct blob_attr) && (bufpt = blob_next(bufpt)));
{
#define BUF_LEN 256
int r = 0;
{
#define BUF_LEN 256
int r = 0;
- char buf[BUF_LEN+1] = { 0 };
+ FILE *fd = NULL;
+ char *buf = NULL;
struct blob_attr *tb[__FOO_MAX];
fd = fopen(filename, "r");
if (!fd) {
struct blob_attr *tb[__FOO_MAX];
fd = fopen(filename, "r");
if (!fd) {
- fprintf(stderr, "unable to open %s", filename);
+ fprintf(stderr, "unable to open %s\n", filename);
- len = fread(&buf, 1, BUF_LEN, fd);
+ buf = malloc(BUF_LEN+1);
+ if (!buf)
+ return;
+
+ len = fread(buf, 1, BUF_LEN, fd);
fclose(fd);
r = blobmsg_parse(foo_policy, ARRAY_SIZE(foo_policy), tb, buf, len);
fclose(fd);
r = blobmsg_parse(foo_policy, ARRAY_SIZE(foo_policy), tb, buf, len);
r = blobmsg_parse_array(foo_policy, ARRAY_SIZE(foo_policy), tb, buf, len);
dump_result("blobmsg_parse_array", r, filename, tb);
r = blobmsg_parse_array(foo_policy, ARRAY_SIZE(foo_policy), tb, buf, len);
dump_result("blobmsg_parse_array", r, filename, tb);
}
int main(int argc, char *argv[])
}
int main(int argc, char *argv[])
{
#define BUF_LEN 2048
int r = 0;
{
#define BUF_LEN 2048
int r = 0;
- char buf[BUF_LEN+1] = { 0 };
+ FILE *fd = NULL;
+ char *buf = NULL;
struct blob_attr *tb[__INSTANCE_ATTR_MAX];
const char *fname = basename((char *) filename);
struct blob_attr *tb[__INSTANCE_ATTR_MAX];
const char *fname = basename((char *) filename);
- len = fread(&buf, 1, BUF_LEN, fd);
+ buf = malloc(BUF_LEN+1);
+ if (!buf)
+ return;
+
+ len = fread(buf, 1, BUF_LEN, fd);
fclose(fd);
r = blobmsg_parse(instance_attr, __INSTANCE_ATTR_MAX, tb, buf, len);
if (r)
fclose(fd);
r = blobmsg_parse(instance_attr, __INSTANCE_ATTR_MAX, tb, buf, len);
if (r)
if (!tb[INSTANCE_ATTR_COMMAND] || !tb[INSTANCE_ATTR_NICE] || !tb[INSTANCE_ATTR_STDERR])
if (!tb[INSTANCE_ATTR_COMMAND] || !tb[INSTANCE_ATTR_NICE] || !tb[INSTANCE_ATTR_STDERR])
if (!blobmsg_check_attr_list(tb[INSTANCE_ATTR_COMMAND], BLOBMSG_TYPE_STRING))
if (!blobmsg_check_attr_list(tb[INSTANCE_ATTR_COMMAND], BLOBMSG_TYPE_STRING))
if (blobmsg_get_u32(tb[INSTANCE_ATTR_NICE]) != 19)
if (blobmsg_get_u32(tb[INSTANCE_ATTR_NICE]) != 19)
if (!blobmsg_get_bool(tb[INSTANCE_ATTR_STDERR]))
if (!blobmsg_get_bool(tb[INSTANCE_ATTR_STDERR]))
fprintf(stderr, "%s: OK\n", fname);
fprintf(stderr, "%s: OK\n", fname);
}
int main(int argc, char *argv[])
}
int main(int argc, char *argv[])