From 5c0faaf4f5e26180dcc31b7e8558d57426d84085 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Sat, 18 Jan 2020 18:32:55 +0100 Subject: [PATCH] tests: prefer dynamically allocated buffers MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Help detecting Valgrind OOB reads and other issues. Conditional jump or move depends on uninitialised value(s) at 0x5452886: blobmsg_parse (blobmsg.c:203) by 0x400A8E: test_blobmsg (tests/test-blobmsg-parse.c:66) by 0x400A8E: main (tests/test-blobmsg-parse.c:82) Conditional jump or move depends on uninitialised value(s) at 0x545247F: blobmsg_check_name (blobmsg.c:39) by 0x545247F: blobmsg_check_attr_len (blobmsg.c:79) by 0x5452710: blobmsg_parse_array (blobmsg.c:159) by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69) by 0x400AB8: main (tests/test-blobmsg-parse.c:82) Conditional jump or move depends on uninitialised value(s) at 0x54524A0: blobmsg_check_name (blobmsg.c:42) by 0x54524A0: blobmsg_check_attr_len (blobmsg.c:79) by 0x5452710: blobmsg_parse_array (blobmsg.c:159) by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69) by 0x400AB8: main (tests/test-blobmsg-parse.c:82) Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/021204.html Signed-off-by: Petr Å tetiar --- tests/fuzz/test-fuzz.c | 10 +++++++++- tests/test-b64.c | 13 +++++++++---- tests/test-blob-parse.c | 17 +++++++++++++---- tests/test-blobmsg-parse.c | 14 ++++++++++---- tests/test-blobmsg-procd-instance.c | 22 ++++++++++++++-------- 5 files changed, 55 insertions(+), 21 deletions(-) diff --git a/tests/fuzz/test-fuzz.c b/tests/fuzz/test-fuzz.c index 4dc13a8..026a3fd 100644 --- a/tests/fuzz/test-fuzz.c +++ b/tests/fuzz/test-fuzz.c @@ -91,10 +91,18 @@ static void fuzz_blob_parse(const uint8_t *data, size_t size) blob_parse_untrusted(buf, size, foo, foo_policy, __FOO_ATTR_MAX); } -int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size) { + uint8_t *data; + + data = malloc(size); + if (!data) + return -1; + + memcpy(data, input, size); fuzz_blob_parse(data, size); fuzz_blobmsg_parse(data, size); + free(data); return 0; } diff --git a/tests/test-b64.c b/tests/test-b64.c index c29b4e2..d33ad0d 100644 --- a/tests/test-b64.c +++ b/tests/test-b64.c @@ -1,20 +1,25 @@ #include #include +#include #include "utils.h" +#define BUF_LEN 255 + static void test_b64_encode(const char *src) { - char dst[255] = {0}; - int r = b64_encode(src, strlen(src), dst, sizeof(dst)); + char *dst = malloc(BUF_LEN+1); + int r = b64_encode(src, strlen(src), dst, BUF_LEN); fprintf(stdout, "%d %s\n", r, dst); + free(dst); } static void test_b64_decode(const char *src) { - char dst[255] = {0}; - int r = b64_decode(src, dst, sizeof(dst)); + char *dst = malloc(BUF_LEN+1); + int r = b64_decode(src, dst, BUF_LEN); fprintf(stdout, "%d %s\n", r, dst); + free(dst); } int main() diff --git a/tests/test-blob-parse.c b/tests/test-blob-parse.c index 6d65eb4..5f58201 100644 --- a/tests/test-blob-parse.c +++ b/tests/test-blob-parse.c @@ -68,7 +68,7 @@ static int cert_load(const char *certfile, struct list_head *chain) struct blob_attr *certtb[CERT_ATTR_MAX]; struct blob_attr *bufpt; struct cert_object *cobj; - char filebuf[CERT_BUF_LEN]; + char *filebuf = NULL; int ret = 0, pret = 0; size_t len, pos = 0; @@ -76,14 +76,22 @@ static int cert_load(const char *certfile, struct list_head *chain) if (!f) return 1; - len = fread(&filebuf, 1, CERT_BUF_LEN - 1, f); - if (len < 64) + filebuf = malloc(CERT_BUF_LEN+1); + if (!filebuf) return 1; + len = fread(filebuf, 1, CERT_BUF_LEN, f); + if (len < 64) { + free(filebuf); + return 1; + } + ret = ferror(f) || !feof(f); fclose(f); - if (ret) + if (ret) { + free(filebuf); return 1; + } bufpt = (struct blob_attr *)filebuf; do { @@ -112,6 +120,7 @@ static int cert_load(const char *certfile, struct list_head *chain) /* repeat parsing while there is still enough remaining data in buffer */ } while(len > pos + sizeof(struct blob_attr) && (bufpt = blob_next(bufpt))); + free(filebuf); return (ret <= 0); } diff --git a/tests/test-blobmsg-parse.c b/tests/test-blobmsg-parse.c index ca710fd..b2844f3 100644 --- a/tests/test-blobmsg-parse.c +++ b/tests/test-blobmsg-parse.c @@ -40,18 +40,22 @@ static void test_blobmsg(const char *filename) { #define BUF_LEN 256 int r = 0; - FILE *fd = NULL; size_t len = 0; - char buf[BUF_LEN+1] = { 0 }; + FILE *fd = NULL; + char *buf = NULL; struct blob_attr *tb[__FOO_MAX]; fd = fopen(filename, "r"); if (!fd) { - fprintf(stderr, "unable to open %s", filename); + fprintf(stderr, "unable to open %s\n", filename); return; } - len = fread(&buf, 1, BUF_LEN, fd); + buf = malloc(BUF_LEN+1); + if (!buf) + return; + + len = fread(buf, 1, BUF_LEN, fd); fclose(fd); r = blobmsg_parse(foo_policy, ARRAY_SIZE(foo_policy), tb, buf, len); @@ -59,6 +63,8 @@ static void test_blobmsg(const char *filename) r = blobmsg_parse_array(foo_policy, ARRAY_SIZE(foo_policy), tb, buf, len); dump_result("blobmsg_parse_array", r, filename, tb); + + free(buf); } int main(int argc, char *argv[]) diff --git a/tests/test-blobmsg-procd-instance.c b/tests/test-blobmsg-procd-instance.c index a5b4706..d6d905f 100644 --- a/tests/test-blobmsg-procd-instance.c +++ b/tests/test-blobmsg-procd-instance.c @@ -63,9 +63,9 @@ static void test_blobmsg_procd_instance(const char *filename) { #define BUF_LEN 2048 int r = 0; - FILE *fd = NULL; size_t len = 0; - char buf[BUF_LEN+1] = { 0 }; + FILE *fd = NULL; + char *buf = NULL; struct blob_attr *tb[__INSTANCE_ATTR_MAX]; const char *fname = basename((char *) filename); @@ -75,26 +75,32 @@ static void test_blobmsg_procd_instance(const char *filename) return; } - len = fread(&buf, 1, BUF_LEN, fd); + buf = malloc(BUF_LEN+1); + if (!buf) + return; + + len = fread(buf, 1, BUF_LEN, fd); fclose(fd); r = blobmsg_parse(instance_attr, __INSTANCE_ATTR_MAX, tb, buf, len); if (r) - return; + goto out; if (!tb[INSTANCE_ATTR_COMMAND] || !tb[INSTANCE_ATTR_NICE] || !tb[INSTANCE_ATTR_STDERR]) - return; + goto out; if (!blobmsg_check_attr_list(tb[INSTANCE_ATTR_COMMAND], BLOBMSG_TYPE_STRING)) - return; + goto out; if (blobmsg_get_u32(tb[INSTANCE_ATTR_NICE]) != 19) - return; + goto out; if (!blobmsg_get_bool(tb[INSTANCE_ATTR_STDERR])) - return; + goto out; fprintf(stderr, "%s: OK\n", fname); +out: + free(buf); } int main(int argc, char *argv[]) -- 2.25.1