diff options
author | Petr Štetiar <ynezz@true.cz> | 2020-01-18 20:32:55 +0300 |
---|---|---|
committer | Petr Štetiar <ynezz@true.cz> | 2020-01-20 18:54:10 +0300 |
commit | 5c0faaf4f5e26180dcc31b7e8558d57426d84085 (patch) | |
tree | 332940834d2e8ec9a8e9ac219db908d9188b2834 /tests/fuzz | |
parent | 1ffa41535369f5bb67d1eb5bdcb306671ca1d2e4 (diff) |
tests: prefer dynamically allocated buffers
Help detecting Valgrind OOB reads and other issues.
Conditional jump or move depends on uninitialised value(s)
at 0x5452886: blobmsg_parse (blobmsg.c:203)
by 0x400A8E: test_blobmsg (tests/test-blobmsg-parse.c:66)
by 0x400A8E: main (tests/test-blobmsg-parse.c:82)
Conditional jump or move depends on uninitialised value(s)
at 0x545247F: blobmsg_check_name (blobmsg.c:39)
by 0x545247F: blobmsg_check_attr_len (blobmsg.c:79)
by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
by 0x400AB8: main (tests/test-blobmsg-parse.c:82)
Conditional jump or move depends on uninitialised value(s)
at 0x54524A0: blobmsg_check_name (blobmsg.c:42)
by 0x54524A0: blobmsg_check_attr_len (blobmsg.c:79)
by 0x5452710: blobmsg_parse_array (blobmsg.c:159)
by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69)
by 0x400AB8: main (tests/test-blobmsg-parse.c:82)
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/021204.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Diffstat (limited to 'tests/fuzz')
-rw-r--r-- | tests/fuzz/test-fuzz.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/tests/fuzz/test-fuzz.c b/tests/fuzz/test-fuzz.c index 4dc13a8..026a3fd 100644 --- a/tests/fuzz/test-fuzz.c +++ b/tests/fuzz/test-fuzz.c @@ -91,10 +91,18 @@ static void fuzz_blob_parse(const uint8_t *data, size_t size) blob_parse_untrusted(buf, size, foo, foo_policy, __FOO_ATTR_MAX); } -int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size) { + uint8_t *data; + + data = malloc(size); + if (!data) + return -1; + + memcpy(data, input, size); fuzz_blob_parse(data, size); fuzz_blobmsg_parse(data, size); + free(data); return 0; } |