zebra: Ensure stream meets some level of stringency for fuzzing

In the fuzzing code we cut to the chase and call zserv_handle_commands
which bypasses the basic parsing correctness done in zserv_read
duplicate some of this code in the zserv_handle_commands function
so we can throw away blatantly bad packages.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/zebra/zapi_msg.c b/zebra/zapi_msg.c
index f205c9bedcb8f77adf11af0962bc7f5785c1fef4..4b589d1afd7b5d1bdb0b4f5c03f0904be10073e6 100644 (file)
--- a/zebra/zapi_msg.c
+++ b/zebra/zapi_msg.c
@@ -3778,8 +3778,34 @@ void zserv_handle_commands(struct zserv *client, struct stream_fifo *fifo)
                        goto continue_loop;
                }
 
+#ifdef FUZZING
+               /*
+                * The stream read over in zserv_read
+                * already guarantees this conditional
+                * when we read actual packets from clients
+                * but since we are cheating there is no
+                * point in allowing a crash in the fuzzing
+                * here.  So let's prevent it.
+                */
+               if (STREAM_READABLE(msg) < ZEBRA_HEADER_SIZE)
+                       goto continue_loop;
+#endif
                zapi_parse_header(msg, &hdr);
 
+#ifdef FUZZING
+               /*
+                * The stream read over in zserv_read
+                * already guarantees the sizing of the packet
+                * before it can even be enqueued but FUZZING
+                * is cheating and calling this function directly
+                * Let's cut to the chase and prevent a crash
+                * because we have a funny header size -vs-
+                * what we can read.
+                */
+               if (STREAM_SIZE(msg) != hdr.length)
+                       goto continue_loop;
+#endif
+
                if (IS_ZEBRA_DEBUG_PACKET && IS_ZEBRA_DEBUG_RECV
                    && IS_ZEBRA_DEBUG_DETAIL)
                        zserv_log_message(NULL, msg, &hdr);