Fix a memory leak in mpd_client_parse_line()

Import configuration test from degesch
Fix crashes in the config parser
2020-10-12 02:07:15 +02:00 · 2020-10-12 02:07:15 +02:00 · 2020-10-12 02:07:14 +02:00 · 2020-10-12 02:07:07 +02:00
5 changed files with 179 additions and 17 deletions
--- a/2
+++ b/2
@ -8,7 +8,7 @@ fuzz () {
 	echo "`tput bold`-- Fuzzing $1`tput sgr0`"
 	mkdir -p /tmp/corpus-$1
 	./fuzz-executor -test=$1 -artifact_prefix=$1- \
-		-max_len=32 -max_total_time=600 -timeout=1 /tmp/corpus-$1
+		-max_total_time=600 -timeout=1 /tmp/corpus-$1
 }

 if [ $# -gt 0 ]; then
--- a/liberty-proto.c
+++ b/liberty-proto.c
@ -1567,13 +1567,12 @@ mpd_client_parse_line (struct mpd_client *self, const char *line)
 	if (!strcmp (line, "list_OK"))
 		strv_append_owned (&self->data, NULL);
 	else if (mpd_client_parse_response (line, &response))
-	{
 		mpd_client_dispatch (self, &response);
-		free (response.current_command);
-		free (response.message_text);
-	}
 	else
 		strv_append (&self->data, line);
+
+	free (response.current_command);
+	free (response.message_text);
 	return true;
 }

--- a/liberty.c
+++ b/liberty.c
@ -5087,18 +5087,21 @@ config_tokenizer_next (struct config_tokenizer *self, struct error **e)
 		return CONFIG_T_STRING;
 	}

-	char *end;
+	// Our input doesn't need to be NUL-terminated but we want to use strtoll()
+	char buf[48] = "", *end = buf;
+	size_t buf_len = MIN (sizeof buf - 1, self->len);
+
 	errno = 0;
-	self->integer = strtoll (self->p, &end, 10);
+	self->integer = strtoll (strncpy (buf, self->p, buf_len), &end, 10);
 	if (errno == ERANGE)
 	{
 		config_tokenizer_error (self, e, "integer out of range");
 		return CONFIG_T_ABORT;
 	}
-	if (end != self->p)
+	if (end != buf)
 	{
-		self->len -= end - self->p;
-		self->p = end;
+		self->len -= end - buf;
+		self->p += end - buf;
 		return CONFIG_T_INTEGER;
 	}

@ -5111,7 +5114,7 @@ config_tokenizer_next (struct config_tokenizer *self, struct error **e)
 	str_reset (&self->string);
 	do
 		str_append_c (&self->string, config_tokenizer_advance (self));
-	while (config_tokenizer_is_word_char (*self->p));
+	while (self->len && config_tokenizer_is_word_char (*self->p));

 	if (!strcmp (self->string.str, "null"))
 		return CONFIG_T_NULL;
--- a/tests/fuzz.c
+++ b/tests/fuzz.c
@ -32,6 +32,13 @@
 #define LIBERTY_WANT_PROTO_MPD

 #include "../liberty.c"
+#include "../liberty-tui.c"
+
+static bool
+app_is_character_in_locale (ucs4_t ch)
+{
+	return ch < 128;
+}

 // --- UTF-8 -------------------------------------------------------------------

@ -46,9 +53,14 @@ test_utf8_validate (const uint8_t *data, size_t size)
 static void
 test_base64_decode (const uint8_t *data, size_t size)
 {
+	struct str wrap = str_make ();
+	str_append_data (&wrap, data, size);
+
 	struct str out = str_make ();
-	base64_decode ((const char *) data, size, &out);
+	base64_decode (wrap.str, true /* ignore_ws */, &out);
 	str_free (&out);
+
+	str_free (&wrap);
 }

 // --- IRC ---------------------------------------------------------------------
@ -131,7 +143,7 @@ test_scgi_parser_push (const uint8_t *data, size_t size)
 // --- WebSockets --------------------------------------------------------------

 static bool
-test_websockets_on_frame_header (void *user_data, const struct ws_parser *self)
+test_ws_parser_on_frame_header (void *user_data, const struct ws_parser *self)
 {
 	(void) user_data;
 	(void) self;
@ -139,7 +151,7 @@ test_websockets_on_frame_header (void *user_data, const struct ws_parser *self)
 }

 static bool
-test_websockets_on_frame (void *user_data, const struct ws_parser *self)
+test_ws_parser_on_frame (void *user_data, const struct ws_parser *self)
 {
 	(void) user_data;
 	(void) self;
@ -150,13 +162,84 @@ static void
 test_ws_parser_push (const uint8_t *data, size_t size)
 {
 	struct ws_parser parser = ws_parser_make ();
-	parser.on_frame_header = test_websockets_on_frame_header;
-	parser.on_frame        = test_websockets_on_frame;
+	parser.on_frame_header = test_ws_parser_on_frame_header;
+	parser.on_frame        = test_ws_parser_on_frame;

 	ws_parser_push (&parser, data, size);
 	ws_parser_free (&parser);
 }

+// --- FastCGI -----------------------------------------------------------------
+
+static bool
+test_fcgi_parser_on_message (const struct fcgi_parser *parser, void *user_data)
+{
+	(void) parser;
+	(void) user_data;
+	return true;
+}
+
+static void
+test_fcgi_parser_push (const uint8_t *data, size_t size)
+{
+	struct fcgi_parser parser = fcgi_parser_make ();
+	parser.on_message = test_fcgi_parser_on_message;
+	fcgi_parser_push (&parser, data, size);
+	fcgi_parser_free (&parser);
+}
+
+static void
+test_fcgi_nv_parser_push (const uint8_t *data, size_t size)
+{
+	struct str_map values = str_map_make (free);
+	struct fcgi_nv_parser nv_parser = fcgi_nv_parser_make ();
+	nv_parser.output = &values;
+
+	fcgi_nv_parser_push (&nv_parser, data, size);
+	fcgi_nv_parser_free (&nv_parser);
+	str_map_free (&values);
+}
+
+// --- Config ------------------------------------------------------------------
+
+static void
+test_config_item_parse (const uint8_t *data, size_t size)
+{
+	struct config_item *item =
+		config_item_parse ((const char *) data, size, false, NULL);
+	if (item)
+		config_item_destroy (item);
+}
+
+// --- TUI ---------------------------------------------------------------------
+
+static void
+test_attrs_decode (const uint8_t *data, size_t size)
+{
+	struct str wrap = str_make ();
+	str_append_data (&wrap, data, size);
+
+	attrs_decode (wrap.str);
+
+	str_free (&wrap);
+}
+
+// --- MPD ---------------------------------------------------------------------
+
+static void
+test_mpd_client_process_input (const uint8_t *data, size_t size)
+{
+	struct poller poller;
+	poller_init (&poller);
+
+	struct mpd_client mpd = mpd_client_make (&poller);
+	str_append_data (&mpd.read_buffer, data, size);
+	mpd_client_process_input (&mpd);
+	mpd_client_free (&mpd);
+
+	poller_free (&poller);
+}
+
 // --- Main --------------------------------------------------------------------

 typedef void (*fuzz_test_fn) (const uint8_t *data, size_t size);
@ -180,7 +263,11 @@ LLVMFuzzerInitialize (int *argcp, char ***argvp)
 	REGISTER (http_parse_upgrade)
 	REGISTER (scgi_parser_push)
 	REGISTER (ws_parser_push)
-	// TODO: add more parsers/processors
+	REGISTER (fcgi_parser_push)
+	REGISTER (fcgi_nv_parser_push)
+	REGISTER (config_item_parse)
+	REGISTER (attrs_decode)
+	REGISTER (mpd_client_process_input)

 	char **argv = *argvp, *option = "-test=", *name = NULL;
 	for (int i = 1; i < *argcp; i++)
--- a/tests/liberty.c
+++ b/tests/liberty.c
@ -604,6 +604,78 @@ test_connector (const void *user_data, struct test_connector_fixture *self)
 	connector_free (&connector);
 }

+// --- Configuration -----------------------------------------------------------
+
+static void
+on_test_config_foo_change (struct config_item *item)
+{
+	*(bool *) item->user_data = item->value.boolean;
+}
+
+static bool
+test_config_validate_nonnegative
+	(const struct config_item *item, struct error **e)
+{
+	if (item->type == CONFIG_ITEM_NULL)
+		return true;
+
+	hard_assert (item->type == CONFIG_ITEM_INTEGER);
+	if (item->value.integer >= 0)
+		return true;
+
+	error_set (e, "must be non-negative");
+	return false;
+}
+
+static struct config_schema g_config_test[] =
+{
+	{ .name      = "foo",
+	  .comment   = "baz",
+	  .type      = CONFIG_ITEM_BOOLEAN,
+	  .default_  = "off",
+	  .on_change = on_test_config_foo_change },
+	{ .name      = "bar",
+	  .type      = CONFIG_ITEM_INTEGER,
+	  .validate  = test_config_validate_nonnegative,
+	  .default_  = "1" },
+	{ .name      = "foobar",
+	  .type      = CONFIG_ITEM_STRING,
+	  .default_  = "\"qux\\x01\"" },
+	{}
+};
+
+static void
+test_config_load (struct config_item *subtree, void *user_data)
+{
+	config_schema_apply_to_object (g_config_test, subtree, user_data);
+}
+
+static void
+test_config (void)
+{
+	struct config config = config_make ();
+
+	bool b = true;
+	config_register_module (&config, "top", test_config_load, &b);
+	config_load (&config, config_item_object ());
+	config_schema_call_changed (config.root);
+	hard_assert (b == false);
+
+	struct config_item *invalid = config_item_integer (-1);
+	hard_assert (!config_item_set_from (config_item_get (config.root,
+		"top.bar", NULL), invalid, NULL));
+	config_item_destroy (invalid);
+
+	struct str s = str_make ();
+	config_item_write (config.root, true, &s);
+	struct config_item *parsed = config_item_parse (s.str, s.len, false, NULL);
+	hard_assert (parsed);
+	config_item_destroy (parsed);
+	str_free (&s);
+
+	config_free (&config);
+}
+
 // --- Main --------------------------------------------------------------------

 int
@ -622,6 +694,7 @@ main (int argc, char *argv[])
 	test_add_simple (&test, "/utf-8",          NULL, test_utf8);
 	test_add_simple (&test, "/base64",         NULL, test_base64);
 	test_add_simple (&test, "/async",          NULL, test_async);
+	test_add_simple (&test, "/config",         NULL, test_config);

 	test_add (&test, "/connector", struct test_connector_fixture, NULL,
 		test_connector_fixture_init,
Author	SHA1	Message	Date
Přemysl Eric Janouch	9b72304963	Fix a memory leak in mpd_client_parse_line()	2020-10-12 02:07:15 +02:00
Přemysl Eric Janouch	1cd9ba8d97	Import configuration test from degesch	2020-10-12 02:07:15 +02:00
Přemysl Eric Janouch	7e5b6c5343	Fix crashes in the config parser It had a duality between not requiring null-terminated input and relying on it, depending on where you looked.	2020-10-12 02:07:14 +02:00
Přemysl Eric Janouch	c2c5031538	Add remaining fuzzing entry points Closes #1	2020-10-12 02:07:07 +02:00