From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 4 Aug 2021 14:55:39 +0000 (-0400)
Subject: zebra: Ensure stream meets some level of stringency for fuzzing
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=3a594fde486abf79f9eff66e8b98189b57a89f3a;p=mirror%2Ffrr.git

zebra: Ensure stream meets some level of stringency for fuzzing

In the fuzzing code we cut to the chase and call zserv_handle_commands
which bypasses the basic parsing correctness done in zserv_read
duplicate some of this code in the zserv_handle_commands function
so we can throw away blatantly bad packages.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---

diff --git a/zebra/zapi_msg.c b/zebra/zapi_msg.c
index f205c9bedc..4b589d1afd 100644
--- a/zebra/zapi_msg.c
+++ b/zebra/zapi_msg.c
@@ -3778,8 +3778,34 @@ void zserv_handle_commands(struct zserv *client, struct stream_fifo *fifo)
 			goto continue_loop;
 		}
 
+#ifdef FUZZING
+		/*
+		 * The stream read over in zserv_read
+		 * already guarantees this conditional
+		 * when we read actual packets from clients
+		 * but since we are cheating there is no
+		 * point in allowing a crash in the fuzzing
+		 * here.  So let's prevent it.
+		 */
+		if (STREAM_READABLE(msg) < ZEBRA_HEADER_SIZE)
+			goto continue_loop;
+#endif
 		zapi_parse_header(msg, &hdr);
 
+#ifdef FUZZING
+		/*
+		 * The stream read over in zserv_read
+		 * already guarantees the sizing of the packet
+		 * before it can even be enqueued but FUZZING
+		 * is cheating and calling this function directly
+		 * Let's cut to the chase and prevent a crash
+		 * because we have a funny header size -vs-
+		 * what we can read.
+		 */
+		if (STREAM_SIZE(msg) != hdr.length)
+			goto continue_loop;
+#endif
+
 		if (IS_ZEBRA_DEBUG_PACKET && IS_ZEBRA_DEBUG_RECV
 		    && IS_ZEBRA_DEBUG_DETAIL)
 			zserv_log_message(NULL, msg, &hdr);