/src/fuzz_header.h

Source (jump to first uncovered line)
/* Copyright 2021 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

#include "dnsmasq.h"

extern void fuzz_blockdata_cleanup();

// Simple garbage collector 
#define GB_SIZE 100

void *pointer_arr[GB_SIZE];
static int pointer_idx = 0;

// If the garbage collector is used then this must be called as first thing
// during a fuzz run.
void gb_init() {
  pointer_idx = 0;

   for (int i = 0; i < GB_SIZE; i++) {
     pointer_arr[i] = NULL;
   }
}

void gb_cleanup() {
  for(int i = 0; i < GB_SIZE; i++) {
    if (pointer_arr[i] != NULL) {
      free(pointer_arr[i]);
    }
  }
}

char *get_len_null_terminated(const uint8_t **data, size_t *size, size_t to_get) {
  if (*size < to_get || (int)*size < 0) {
    return NULL;
  }

  char *new_s = malloc(to_get + 1);
  memcpy(new_s, *data, to_get);
  new_s[to_get] = '\0';

  *data = *data+to_get;
  *size -= to_get;
  return new_s;
}

char *get_null_terminated(const uint8_t **data, size_t *size) {
#define STR_SIZE 75
  return get_len_null_terminated(data, size, STR_SIZE);
}

char *gb_get_random_data(const uint8_t **data, size_t *size, size_t to_get) {
  if (*size < to_get || (int)*size < 0) {
    return NULL;
  }

  char *new_s = malloc(to_get);
  memcpy(new_s, *data, to_get);

  pointer_arr[pointer_idx++] = (void*)new_s;
  
  *data = *data + to_get;
  *size -= to_get;

  return new_s;
}

char *gb_get_null_terminated(const uint8_t **data, size_t *size) {

  char *nstr = get_null_terminated(data, size);
  if (nstr == NULL) {
    return NULL;
  }
  pointer_arr[pointer_idx++] = (void*)nstr;
  return nstr;
}

char *gb_get_len_null_terminated(const uint8_t **data, size_t *size, size_t to_get) {

  char *nstr = get_len_null_terminated(data, size, to_get);
  if (nstr != NULL) {
    pointer_arr[pointer_idx++] = (void*)nstr;
  }
  return nstr;
}

char *gb_alloc_data(size_t len) {
  char *ptr = calloc(1, len);
  pointer_arr[pointer_idx++] = (void*)ptr;
  
  return ptr;
}

short get_short(const uint8_t **data, size_t *size) {
  if (*size <= 0) return 0;
  short c = (short)(*data)[0];
  *data += 1;
  *size-=1;
  return c;
}

int get_int(const uint8_t **data, size_t *size) {
  if (*size <= 4) return 0;
  const uint8_t *ptr = *data;
  int val = *((int*)ptr);
  *data += 4;
  *size -= 4;
  return val;
}
// end simple garbage collector.

const uint8_t *syscall_data = NULL;
size_t syscall_size = 0;


int fuzz_ioctl(int fd, unsigned long request, void *arg) {
  int fd2 = fd;
  unsigned long request2 = request;
  void *arg_ptr = arg;

  // SIOCGSTAMP
  if (request == SIOCGSTAMP) {
    struct timeval *tv = (struct timeval*)arg_ptr;
    if (tv == NULL) {
      return 0;
    }

    char *rand_tv = gb_get_random_data(&syscall_data, &syscall_size, sizeof(struct timeval));
    if (rand_tv == NULL) {
      return -1;
    }

    memcpy(tv, rand_tv, sizeof(struct timeval));
    return 0;
  }

  if (request == SIOCGIFNAME) {
    //printf("We got a SIOCGIFNAME\n");
    struct ifreq *ifr = (struct ifreq*)arg_ptr;
    if (ifr == NULL) {
      return -1;
    }
    for (int i = 0; i < IF_NAMESIZE; i++) {
      if (syscall_size > 0 && syscall_data != NULL) {
        ifr->ifr_name[i] = (char)*syscall_data;
        syscall_data += 1;
        syscall_size -= 1;
      }
      else {
        ifr->ifr_name[i] = 'A';
      }
    }
    ifr->ifr_name[IF_NAMESIZE-1] = '\0';
    return 0;
    //return -1;
  }
  if (request == SIOCGIFFLAGS) {
    return 0;
  }
  if (request == SIOCGIFADDR) {
    return 0;
  }

  // 
  int retval = ioctl(fd2, request2, arg_ptr); 
  return retval;
}


// Sysytem call wrappers
static char v = 0;
ssize_t fuzz_recvmsg(int sockfd, struct msghdr *msg, int flags) {
  
  struct iovec *target = msg->msg_iov;

  //printf("recvmsg 1 \n");
  if (syscall_size > 1) {
    char r = *syscall_data;
    syscall_data += 1;
    syscall_size -= 1;

    if (r == 12) {
      //printf("recvmsg 2\n");
      return -1;
    }
  }

  int j = 0;
  if (msg->msg_control != NULL) {
    for (;j < CMSG_SPACE(sizeof(struct in_pktinfo)); j++)
    {
      if (syscall_size > 0 && syscall_data != NULL) {
        ((char*)msg->msg_control)[j] = *syscall_data;
        syscall_data += 1;
        syscall_size -= 1;
      }
      else {
        ((char*)msg->msg_control)[j] = 'A';
      }
    }
  }

  int i = 0;
  for (; i < target->iov_len; i++) {
    if (syscall_size > 0 && syscall_data != NULL) {
      ((char*)target->iov_base)[i] = *syscall_data;
      syscall_data += 1;
      syscall_size -= 1;
    }
    else {
      ((char*)target->iov_base)[i] = 'A';
    }
  }

  if (msg->msg_namelen > 0) {
    memset(msg->msg_name, 0, msg->msg_namelen);
  }

  return i;
}


// dnsmasq specific stuff
int init_daemon(const uint8_t **data2, size_t *size2) {
  const uint8_t *data = *data2;
  size_t size = *size2;

  int retval = 0;

#define CLEAN_IF_NULL(arg) if (arg == NULL) goto cleanup;

  // Initialize daemon
  daemon = (struct daemon*)gb_alloc_data(sizeof(struct daemon));
  CLEAN_IF_NULL(daemon)

  // daemon misc
  daemon->max_ttl = get_int(&data, &size);
  daemon->neg_ttl = get_int(&data, &size);
  daemon->local_ttl = get_int(&data, &size);
  daemon->min_cache_ttl = get_int(&data, &size);

  // daemon->namebuff.
  char *daemon_namebuff = gb_get_len_null_terminated(&data, &size, MAXDNAME);
  daemon->namebuff = daemon_namebuff;

  // daemon->naptr
  struct naptr *naptr_ptr = (struct naptr*)gb_alloc_data(sizeof(struct naptr));
  char *naptr_name = gb_get_null_terminated(&data, &size);
  char *naptr_replace = gb_get_null_terminated(&data, &size);
  char *naptr_regexp = gb_get_null_terminated(&data, &size);
  char *naptr_services = gb_get_null_terminated(&data, &size);
  char *naptr_flags = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(naptr_ptr)
  CLEAN_IF_NULL(naptr_name)
  CLEAN_IF_NULL(naptr_replace)
  CLEAN_IF_NULL(naptr_regexp)
  CLEAN_IF_NULL(naptr_services)
  CLEAN_IF_NULL(naptr_flags)

  naptr_ptr->name = naptr_name;
  naptr_ptr->replace = naptr_replace;
  naptr_ptr->regexp = naptr_regexp;
  naptr_ptr->services = naptr_services;
  naptr_ptr->flags = naptr_flags;

  daemon->naptr = naptr_ptr;

  // daemon->int_names
  struct interface_name *int_namses = (struct interface_name*)gb_alloc_data(sizeof(struct interface_name));

  char *int_name = gb_get_null_terminated(&data, &size);
  char *int_intr = gb_get_null_terminated(&data, &size);
  CLEAN_IF_NULL(int_namses)
  CLEAN_IF_NULL(int_name)
  CLEAN_IF_NULL(int_intr)
  int_namses->name = int_name;
  int_namses->intr = int_intr;

  struct addrlist *d_addrlist = (struct addrlist*)gb_alloc_data(sizeof(struct addrlist));
  CLEAN_IF_NULL(d_addrlist)
  d_addrlist->flags = get_int(&data, &size);
  d_addrlist->prefixlen = get_int(&data, &size);
  int_namses->addr = d_addrlist;

  daemon->int_names = int_namses;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->addrbuf
  char *adbuf = gb_alloc_data(200);
  CLEAN_IF_NULL(adbuf)
  daemon->addrbuff = adbuf;

  // daemon->auth_zones
  struct auth_zone *d_az = (struct auth_zone*)gb_alloc_data(sizeof(struct auth_zone));
  char *auth_domain = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(d_az)
  CLEAN_IF_NULL(auth_domain)
  d_az->domain = auth_domain;
  daemon->auth_zones = d_az;

  // deamon->mxnames
  struct mx_srv_record *mx_srv_rec = (struct mx_srv_record*)gb_alloc_data(sizeof(struct mx_srv_record));
  char *mx_name = gb_get_null_terminated(&data, &size);
  char *mx_target = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(mx_srv_rec)
  CLEAN_IF_NULL(mx_target)
  CLEAN_IF_NULL(mx_name)

  mx_srv_rec->next = daemon->mxnames;
  daemon->mxnames = mx_srv_rec;
  mx_srv_rec->name = mx_name;
  mx_srv_rec->target = mx_target;
  mx_srv_rec->issrv = get_int(&data, &size);
  mx_srv_rec->weight = get_int(&data, &size);
  mx_srv_rec->priority = get_int(&data, &size);
  mx_srv_rec->srvport = get_int(&data, &size);
  //data += 40;
  //size -= 40;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->txt
  struct txt_record *txt_record = (struct txt_record *)gb_alloc_data(sizeof(struct txt_record));
  char *txt_record_name =  gb_get_null_terminated(&data, &size);
  char *txt_record_txt = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(txt_record)
  CLEAN_IF_NULL(txt_record_name)
  CLEAN_IF_NULL(txt_record_txt)

  txt_record->name = txt_record_name;
  txt_record->txt = (unsigned char*)txt_record_txt;
  txt_record->class2 = (get_short(&data, &size) % 10);
  daemon->txt = txt_record;

  // daemon->rr
  struct txt_record *rr_record = (struct txt_record *)gb_alloc_data(sizeof(struct txt_record));
  char *rr_record_name =  gb_get_null_terminated(&data, &size);
  char *rr_record_txt = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(rr_record)
  CLEAN_IF_NULL(rr_record_name)
  CLEAN_IF_NULL(rr_record_txt)

  rr_record->name = rr_record_name;
  rr_record->txt = (unsigned char*)rr_record_txt;
  rr_record->class2 = (get_short(&data, &size) % 10);
  daemon->rr = rr_record;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->relay4
  //struct dhcp_relay *dr = (struct dhcp_relay*)gb_alloc_data(sizeof(struct dhcp_relay));
  struct dhcp_relay *dr = (struct dhcp_relay*)gb_get_random_data(&data, &size, sizeof(struct dhcp_relay));
  char *dr_interface = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(dr)
  CLEAN_IF_NULL(dr_interface)
  dr->interface = dr_interface;
  dr->next = NULL;
  //dr->current = NULL;
  daemon->relay4 = dr;

  // deamon->bridges
  struct dhcp_bridge *db = (struct dhcp_bridge*)gb_alloc_data(sizeof(struct dhcp_bridge));
  char *db_interface = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(db)
  CLEAN_IF_NULL(db_interface)

  if (strlen(db_interface) > IF_NAMESIZE) {
    for (int i = 0; i < IF_NAMESIZE; i++) {
      db->iface[i] = db_interface[i];
    }
  } else {
    for (int i = 0; i < strlen(db_interface); i++) {
      db->iface[i] = db_interface[i];
    }
  }


  struct dhcp_bridge *db_alias = (struct dhcp_bridge*)gb_alloc_data(sizeof(struct dhcp_bridge));
  //struct dhcp_bridge *db_alias = (struct dhcp_bridge*)gb_get_random_data(&data, &size, sizeof(struct dhcp_bridge));
  char *db_alias_interface = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(db_alias)
  CLEAN_IF_NULL(db_alias_interface)

  if (strlen(db_alias_interface) > IF_NAMESIZE) {
    for (int i = 0; i < IF_NAMESIZE; i++) {
      db_alias->iface[i] = db_alias_interface[i];
    }
  } else {
    for (int i = 0; i < strlen(db_alias_interface); i++) {
      db_alias->iface[i] = db_alias_interface[i];
    }
  }
  db->alias = db_alias;
  daemon->bridges = db;

  // daemon->if_names
  struct iname *in = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *iname_name = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(in)
  CLEAN_IF_NULL(iname_name)

  in->name = iname_name;
  in->next = NULL;

  daemon->if_names = in;

  // daemon->if_addrs
  struct iname *in_addr = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *iname_name_addr = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(in_addr)
  CLEAN_IF_NULL(iname_name_addr)

  in_addr->name = iname_name_addr;
  in_addr->next = NULL;

  daemon->if_addrs = in_addr;

  // daemon->if_except
  struct iname *in_except = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *iname_name_except = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(in_except)
  CLEAN_IF_NULL(iname_name_except)

  in_except->name = iname_name_except;
  in_except->next = NULL;

  daemon->if_except = in_except;

  // daemon->dhcp_except
  struct iname *except = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *name_except = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(except)
  CLEAN_IF_NULL(name_except)

  except->name = name_except;
  except->next = NULL;

  daemon->dhcp_except = except;

  // daemon->authinterface
  struct iname *auth_interface = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *auth_name = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(auth_interface)
  CLEAN_IF_NULL(auth_name)

  auth_interface->name = auth_name;
  auth_interface->next = NULL;

  daemon->authinterface = auth_interface;


  // daemon->cnames
  struct cname *cn = (struct cname*)gb_alloc_data(sizeof(struct cname));
  char *cname_alias = gb_get_null_terminated(&data, &size);
  char *cname_target = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(cn)
  CLEAN_IF_NULL(cname_alias)
  CLEAN_IF_NULL(cname_target)

  cn->alias = cname_alias;
  cn->target = cname_target;
  daemon->cnames = cn;


  // daemon->ptr
  struct ptr_record *ptr = (struct ptr_record *)gb_alloc_data(sizeof(struct ptr_record));
  CLEAN_IF_NULL(ptr)

  char *ptr_name = gb_get_null_terminated(&data, &size);
  CLEAN_IF_NULL(ptr_name)
  ptr->name = ptr_name;
  daemon->ptr = ptr;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->dhcp
  struct dhcp_context *dhcp_c = (struct dhcp_context *) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
  
  char *dhcp_c_temp_in = gb_get_null_terminated(&data, &size);

  struct dhcp_netid *dhcp_c_netid = (struct dhcp_netid *) gb_alloc_data(sizeof(struct dhcp_netid));
  char *dhcp_netid_net = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(dhcp_c)
  CLEAN_IF_NULL(dhcp_c_temp_in)
  CLEAN_IF_NULL(dhcp_c_netid)
  CLEAN_IF_NULL(dhcp_netid_net)

  dhcp_c->next = NULL;
  dhcp_c->current = NULL;
  dhcp_c_netid->net = dhcp_netid_net;
  dhcp_c->filter = dhcp_c_netid;
  dhcp_c->template_interface = dhcp_c_temp_in;

  daemon->dhcp = dhcp_c;


  // daemon->dhcp6
  struct dhcp_context *dhcp6_c = (struct dhcp_context *) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
  
  char *dhcp6_c_temp_in = gb_get_null_terminated(&data, &size);

  struct dhcp_netid *dhcp6_c_netid = (struct dhcp_netid *) gb_alloc_data(sizeof(struct dhcp_netid));
  char *dhcp6_netid_net = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(dhcp6_c)
  CLEAN_IF_NULL(dhcp6_c_temp_in)
  CLEAN_IF_NULL(dhcp6_c_netid)
  CLEAN_IF_NULL(dhcp6_netid_net)

  dhcp6_c->next = NULL;
  dhcp6_c->current = NULL;
  dhcp6_c_netid->net = dhcp6_netid_net;
  dhcp6_c->filter = dhcp6_c_netid;
  dhcp6_c->template_interface = dhcp6_c_temp_in;

  daemon->dhcp6 = dhcp6_c;

  // daemon->doing_dhcp6
  daemon->doing_dhcp6 = 1;

  // daemon->dhcp_buffs
  char *dhcp_buff = gb_alloc_data(DHCP_BUFF_SZ);
  char *dhcp_buff2 = gb_alloc_data(DHCP_BUFF_SZ);
  char *dhcp_buff3 = gb_alloc_data(DHCP_BUFF_SZ);

  CLEAN_IF_NULL(dhcp_buff)
  CLEAN_IF_NULL(dhcp_buff2)
  CLEAN_IF_NULL(dhcp_buff3)

  daemon->dhcp_buff = dhcp_buff;
  daemon->dhcp_buff2 = dhcp_buff2;
  daemon->dhcp_buff3 = dhcp_buff3;



  // daemon->ignore_addr
  struct bogus_addr *bb = (struct bogus_addr *)gb_alloc_data(sizeof(struct bogus_addr));
  CLEAN_IF_NULL(bb)

  daemon->ignore_addr = bb;

  // daemon->doctors
  if (size > *size2) {
    goto cleanup;
  }

  struct doctor *doctors = (struct doctor *)gb_alloc_data(sizeof(struct doctor));
  CLEAN_IF_NULL(doctors)

  doctors->next = NULL;
  daemon->doctors = doctors;

  retval = 0;
  goto ret;
cleanup:
  retval = -1;

ret:
  return retval;
}

Coverage Report

Created: 2025-07-18 06:19

Line	Count	Source (jump to first uncovered line)
1		/* Copyright 2021 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12
13		#include "dnsmasq.h"
14
15		extern void fuzz_blockdata_cleanup();
16
17		// Simple garbage collector
18	171k	#define GB_SIZE 100
19
20		void *pointer_arr[GB_SIZE];
21		static int pointer_idx = 0;
22
23		// If the garbage collector is used then this must be called as first thing
24		// during a fuzz run.
25	851	void gb_init() {
26	851	pointer_idx = 0;
27
28	85.9k	for (int i = 0; i < GB_SIZE; i++) {
29	85.1k	pointer_arr[i] = NULL;
30	85.1k	}
31	851	}
32
33	851	void gb_cleanup() {
34	85.9k	for(int i = 0; i < GB_SIZE; i++) {
35	85.1k	if (pointer_arr[i] != NULL) {
36	38.6k	free(pointer_arr[i]);
37	38.6k	}
38	85.1k	}
39	851	}
40
41	21.6k	char get_len_null_terminated(const uint8_t data, size_t size, size_t to_get) {
42	21.6k	if (size < to_get \|\| (int)size < 0) {
43	745	return NULL;
44	745	}
45
46	20.8k	char *new_s = malloc(to_get + 1);
47	20.8k	memcpy(new_s, *data, to_get);
48	20.8k	new_s[to_get] = '\0';
49
50	20.8k	data = data+to_get;
51	20.8k	*size -= to_get;
52	20.8k	return new_s;
53	21.6k	}
54
55	19.6k	char get_null_terminated(const uint8_t data, size_t size) {
56	19.6k	#define STR_SIZE 75
57	19.6k	return get_len_null_terminated(data, size, STR_SIZE);
58	19.6k	}
59
60	4.69k	char gb_get_random_data(const uint8_t data, size_t size, size_t to_get) {
61	4.69k	if (size < to_get \|\| (int)size < 0) {
62	54	return NULL;
63	54	}
64
65	4.64k	char *new_s = malloc(to_get);
66	4.64k	memcpy(new_s, *data, to_get);
67
68	4.64k	pointer_arr[pointer_idx++] = (void*)new_s;
69
70	4.64k	data = data + to_get;
71	4.64k	*size -= to_get;
72
73	4.64k	return new_s;
74	4.69k	}
75
76	19.6k	char gb_get_null_terminated(const uint8_t data, size_t size) {
77
78	19.6k	char *nstr = get_null_terminated(data, size);
79	19.6k	if (nstr == NULL) {
80	571	return NULL;
81	571	}
82	19.1k	pointer_arr[pointer_idx++] = (void*)nstr;
83	19.1k	return nstr;
84	19.6k	}
85
86	1.91k	char gb_get_len_null_terminated(const uint8_t data, size_t size, size_t to_get) {
87
88	1.91k	char *nstr = get_len_null_terminated(data, size, to_get);
89	1.91k	if (nstr != NULL) {
90	1.73k	pointer_arr[pointer_idx++] = (void*)nstr;
91	1.73k	}
92	1.91k	return nstr;
93	1.91k	}
94
95	13.1k	char *gb_alloc_data(size_t len) {
96	13.1k	char *ptr = calloc(1, len);
97	13.1k	pointer_arr[pointer_idx++] = (void*)ptr;
98
99	13.1k	return ptr;
100	13.1k	}
101
102	1.36k	short get_short(const uint8_t *data, size_t size) {
103	1.36k	if (*size <= 0) return 0;
104	1.36k	short c = (short)(*data)[0];
105	1.36k	*data += 1;
106	1.36k	*size-=1;
107	1.36k	return c;
108	1.36k	}
109
110	7.88k	int get_int(const uint8_t *data, size_t size) {
111	7.88k	if (*size <= 4) return 0;
112	7.81k	const uint8_t ptr = data;
113	7.81k	int val = ((int)ptr);
114	7.81k	*data += 4;
115	7.81k	*size -= 4;
116	7.81k	return val;
117	7.88k	}
118		// end simple garbage collector.
119
120		const uint8_t *syscall_data = NULL;
121		size_t syscall_size = 0;
122
123
124	0	int fuzz_ioctl(int fd, unsigned long request, void *arg) {
125	0	int fd2 = fd;
126	0	unsigned long request2 = request;
127	0	void *arg_ptr = arg;
128
129		// SIOCGSTAMP
130	0	if (request == SIOCGSTAMP) {
131	0	struct timeval tv = (struct timeval)arg_ptr;
132	0	if (tv == NULL) {
133	0	return 0;
134	0	}
135
136	0	char *rand_tv = gb_get_random_data(&syscall_data, &syscall_size, sizeof(struct timeval));
137	0	if (rand_tv == NULL) {
138	0	return -1;
139	0	}
140
141	0	memcpy(tv, rand_tv, sizeof(struct timeval));
142	0	return 0;
143	0	}
144
145	0	if (request == SIOCGIFNAME) {
146		//printf("We got a SIOCGIFNAME\n");
147	0	struct ifreq ifr = (struct ifreq)arg_ptr;
148	0	if (ifr == NULL) {
149	0	return -1;
150	0	}
151	0	for (int i = 0; i < IF_NAMESIZE; i++) {
152	0	if (syscall_size > 0 && syscall_data != NULL) {
153	0	ifr->ifr_name[i] = (char)*syscall_data;
154	0	syscall_data += 1;
155	0	syscall_size -= 1;
156	0	}
157	0	else {
158	0	ifr->ifr_name[i] = 'A';
159	0	}
160	0	}
161	0	ifr->ifr_name[IF_NAMESIZE-1] = '\0';
162	0	return 0;
163		//return -1;
164	0	}
165	0	if (request == SIOCGIFFLAGS) {
166	0	return 0;
167	0	}
168	0	if (request == SIOCGIFADDR) {
169	0	return 0;
170	0	}
171
172		//
173	0	int retval = ioctl(fd2, request2, arg_ptr);
174	0	return retval;
175	0	}
176
177
178		// Sysytem call wrappers
179		static char v = 0;
180	0	ssize_t fuzz_recvmsg(int sockfd, struct msghdr *msg, int flags) {
181
182	0	struct iovec *target = msg->msg_iov;
183
184		//printf("recvmsg 1 \n");
185	0	if (syscall_size > 1) {
186	0	char r = *syscall_data;
187	0	syscall_data += 1;
188	0	syscall_size -= 1;
189
190	0	if (r == 12) {
191		//printf("recvmsg 2\n");
192	0	return -1;
193	0	}
194	0	}
195
196	0	int j = 0;
197	0	if (msg->msg_control != NULL) {
198	0	for (;j < CMSG_SPACE(sizeof(struct in_pktinfo)); j++)
199	0	{
200	0	if (syscall_size > 0 && syscall_data != NULL) {
201	0	((char)msg->msg_control)[j] = syscall_data;
202	0	syscall_data += 1;
203	0	syscall_size -= 1;
204	0	}
205	0	else {
206	0	((char*)msg->msg_control)[j] = 'A';
207	0	}
208	0	}
209	0	}
210
211	0	int i = 0;
212	0	for (; i < target->iov_len; i++) {
213	0	if (syscall_size > 0 && syscall_data != NULL) {
214	0	((char)target->iov_base)[i] = syscall_data;
215	0	syscall_data += 1;
216	0	syscall_size -= 1;
217	0	}
218	0	else {
219	0	((char*)target->iov_base)[i] = 'A';
220	0	}
221	0	}
222
223	0	if (msg->msg_namelen > 0) {
224	0	memset(msg->msg_name, 0, msg->msg_namelen);
225	0	}
226
227	0	return i;
228	0	}
229
230
231		// dnsmasq specific stuff
232	851	int init_daemon(const uint8_t *data2, size_t size2) {
233	851	const uint8_t data = data2;
234	851	size_t size = *size2;
235
236	851	int retval = 0;
237
238	37.1k	#define CLEAN_IF_NULL(arg) if (arg == NULL) goto cleanup;
239
240		// Initialize daemon
241	851	daemon = (struct daemon*)gb_alloc_data(sizeof(struct daemon));
242	851	CLEAN_IF_NULL(daemon)
243
244		// daemon misc
245	851	daemon->max_ttl = get_int(&data, &size);
246	851	daemon->neg_ttl = get_int(&data, &size);
247	851	daemon->local_ttl = get_int(&data, &size);
248	851	daemon->min_cache_ttl = get_int(&data, &size);
249
250		// daemon->namebuff.
251	851	char *daemon_namebuff = gb_get_len_null_terminated(&data, &size, MAXDNAME);
252	851	daemon->namebuff = daemon_namebuff;
253
254		// daemon->naptr
255	851	struct naptr naptr_ptr = (struct naptr)gb_alloc_data(sizeof(struct naptr));
256	851	char *naptr_name = gb_get_null_terminated(&data, &size);
257	851	char *naptr_replace = gb_get_null_terminated(&data, &size);
258	851	char *naptr_regexp = gb_get_null_terminated(&data, &size);
259	851	char *naptr_services = gb_get_null_terminated(&data, &size);
260	851	char *naptr_flags = gb_get_null_terminated(&data, &size);
261
262	851	CLEAN_IF_NULL(naptr_ptr)
263	851	CLEAN_IF_NULL(naptr_name)
264	816	CLEAN_IF_NULL(naptr_replace)
265	809	CLEAN_IF_NULL(naptr_regexp)
266	806	CLEAN_IF_NULL(naptr_services)
267	798	CLEAN_IF_NULL(naptr_flags)
268
269	795	naptr_ptr->name = naptr_name;
270	795	naptr_ptr->replace = naptr_replace;
271	795	naptr_ptr->regexp = naptr_regexp;
272	795	naptr_ptr->services = naptr_services;
273	795	naptr_ptr->flags = naptr_flags;
274
275	795	daemon->naptr = naptr_ptr;
276
277		// daemon->int_names
278	795	struct interface_name int_namses = (struct interface_name)gb_alloc_data(sizeof(struct interface_name));
279
280	795	char *int_name = gb_get_null_terminated(&data, &size);
281	795	char *int_intr = gb_get_null_terminated(&data, &size);
282	795	CLEAN_IF_NULL(int_namses)
283	795	CLEAN_IF_NULL(int_name)
284	780	CLEAN_IF_NULL(int_intr)
285	770	int_namses->name = int_name;
286	770	int_namses->intr = int_intr;
287
288	770	struct addrlist d_addrlist = (struct addrlist)gb_alloc_data(sizeof(struct addrlist));
289	770	CLEAN_IF_NULL(d_addrlist)
290	770	d_addrlist->flags = get_int(&data, &size);
291	770	d_addrlist->prefixlen = get_int(&data, &size);
292	770	int_namses->addr = d_addrlist;
293
294	770	daemon->int_names = int_namses;
295
296	770	if (size > *size2) {
297	0	goto cleanup;
298	0	}
299
300		// daemon->addrbuf
301	770	char *adbuf = gb_alloc_data(200);
302	770	CLEAN_IF_NULL(adbuf)
303	770	daemon->addrbuff = adbuf;
304
305		// daemon->auth_zones
306	770	struct auth_zone d_az = (struct auth_zone)gb_alloc_data(sizeof(struct auth_zone));
307	770	char *auth_domain = gb_get_null_terminated(&data, &size);
308
309	770	CLEAN_IF_NULL(d_az)
310	770	CLEAN_IF_NULL(auth_domain)
311	744	d_az->domain = auth_domain;
312	744	daemon->auth_zones = d_az;
313
314		// deamon->mxnames
315	744	struct mx_srv_record mx_srv_rec = (struct mx_srv_record)gb_alloc_data(sizeof(struct mx_srv_record));
316	744	char *mx_name = gb_get_null_terminated(&data, &size);
317	744	char *mx_target = gb_get_null_terminated(&data, &size);
318
319	744	CLEAN_IF_NULL(mx_srv_rec)
320	744	CLEAN_IF_NULL(mx_target)
321	734	CLEAN_IF_NULL(mx_name)
322
323	734	mx_srv_rec->next = daemon->mxnames;
324	734	daemon->mxnames = mx_srv_rec;
325	734	mx_srv_rec->name = mx_name;
326	734	mx_srv_rec->target = mx_target;
327	734	mx_srv_rec->issrv = get_int(&data, &size);
328	734	mx_srv_rec->weight = get_int(&data, &size);
329	734	mx_srv_rec->priority = get_int(&data, &size);
330	734	mx_srv_rec->srvport = get_int(&data, &size);
331		//data += 40;
332		//size -= 40;
333
334	734	if (size > *size2) {
335	0	goto cleanup;
336	0	}
337
338		// daemon->txt
339	734	struct txt_record txt_record = (struct txt_record )gb_alloc_data(sizeof(struct txt_record));
340	734	char *txt_record_name = gb_get_null_terminated(&data, &size);
341	734	char *txt_record_txt = gb_get_null_terminated(&data, &size);
342
343	734	CLEAN_IF_NULL(txt_record)
344	734	CLEAN_IF_NULL(txt_record_name)
345	706	CLEAN_IF_NULL(txt_record_txt)
346
347	697	txt_record->name = txt_record_name;
348	697	txt_record->txt = (unsigned char*)txt_record_txt;
349	697	txt_record->class2 = (get_short(&data, &size) % 10);
350	697	daemon->txt = txt_record;
351
352		// daemon->rr
353	697	struct txt_record rr_record = (struct txt_record )gb_alloc_data(sizeof(struct txt_record));
354	697	char *rr_record_name = gb_get_null_terminated(&data, &size);
355	697	char *rr_record_txt = gb_get_null_terminated(&data, &size);
356
357	697	CLEAN_IF_NULL(rr_record)
358	697	CLEAN_IF_NULL(rr_record_name)
359	686	CLEAN_IF_NULL(rr_record_txt)
360
361	666	rr_record->name = rr_record_name;
362	666	rr_record->txt = (unsigned char*)rr_record_txt;
363	666	rr_record->class2 = (get_short(&data, &size) % 10);
364	666	daemon->rr = rr_record;
365
366	666	if (size > *size2) {
367	0	goto cleanup;
368	0	}
369
370		// daemon->relay4
371		//struct dhcp_relay dr = (struct dhcp_relay)gb_alloc_data(sizeof(struct dhcp_relay));
372	666	struct dhcp_relay dr = (struct dhcp_relay)gb_get_random_data(&data, &size, sizeof(struct dhcp_relay));
373	666	char *dr_interface = gb_get_null_terminated(&data, &size);
374
375	666	CLEAN_IF_NULL(dr)
376	649	CLEAN_IF_NULL(dr_interface)
377	637	dr->interface = dr_interface;
378	637	dr->next = NULL;
379		//dr->current = NULL;
380	637	daemon->relay4 = dr;
381
382		// deamon->bridges
383	637	struct dhcp_bridge db = (struct dhcp_bridge)gb_alloc_data(sizeof(struct dhcp_bridge));
384	637	char *db_interface = gb_get_null_terminated(&data, &size);
385
386	637	CLEAN_IF_NULL(db)
387	637	CLEAN_IF_NULL(db_interface)
388
389	630	if (strlen(db_interface) > IF_NAMESIZE) {
390	6.85k	for (int i = 0; i < IF_NAMESIZE; i++) {
391	6.44k	db->iface[i] = db_interface[i];
392	6.44k	}
393	403	} else {
394	920	for (int i = 0; i < strlen(db_interface); i++) {
395	693	db->iface[i] = db_interface[i];
396	693	}
397	227	}
398
399
400	630	struct dhcp_bridge db_alias = (struct dhcp_bridge)gb_alloc_data(sizeof(struct dhcp_bridge));
401		//struct dhcp_bridge db_alias = (struct dhcp_bridge)gb_get_random_data(&data, &size, sizeof(struct dhcp_bridge));
402	630	char *db_alias_interface = gb_get_null_terminated(&data, &size);
403
404	630	CLEAN_IF_NULL(db_alias)
405	630	CLEAN_IF_NULL(db_alias_interface)
406
407	611	if (strlen(db_alias_interface) > IF_NAMESIZE) {
408	6.44k	for (int i = 0; i < IF_NAMESIZE; i++) {
409	6.06k	db_alias->iface[i] = db_alias_interface[i];
410	6.06k	}
411	379	} else {
412	1.04k	for (int i = 0; i < strlen(db_alias_interface); i++) {
413	817	db_alias->iface[i] = db_alias_interface[i];
414	817	}
415	232	}
416	611	db->alias = db_alias;
417	611	daemon->bridges = db;
418
419		// daemon->if_names
420	611	struct iname in = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
421	611	char *iname_name = gb_get_null_terminated(&data, &size);
422
423	611	CLEAN_IF_NULL(in)
424	593	CLEAN_IF_NULL(iname_name)
425
426	590	in->name = iname_name;
427	590	in->next = NULL;
428
429	590	daemon->if_names = in;
430
431		// daemon->if_addrs
432	590	struct iname in_addr = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
433	590	char *iname_name_addr = gb_get_null_terminated(&data, &size);
434
435	590	CLEAN_IF_NULL(in_addr)
436	588	CLEAN_IF_NULL(iname_name_addr)
437
438	583	in_addr->name = iname_name_addr;
439	583	in_addr->next = NULL;
440
441	583	daemon->if_addrs = in_addr;
442
443		// daemon->if_except
444	583	struct iname in_except = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
445	583	char *iname_name_except = gb_get_null_terminated(&data, &size);
446
447	583	CLEAN_IF_NULL(in_except)
448	581	CLEAN_IF_NULL(iname_name_except)
449
450	580	in_except->name = iname_name_except;
451	580	in_except->next = NULL;
452
453	580	daemon->if_except = in_except;
454
455		// daemon->dhcp_except
456	580	struct iname except = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
457	580	char *name_except = gb_get_null_terminated(&data, &size);
458
459	580	CLEAN_IF_NULL(except)
460	577	CLEAN_IF_NULL(name_except)
461
462	573	except->name = name_except;
463	573	except->next = NULL;
464
465	573	daemon->dhcp_except = except;
466
467		// daemon->authinterface
468	573	struct iname auth_interface = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
469	573	char *auth_name = gb_get_null_terminated(&data, &size);
470
471	573	CLEAN_IF_NULL(auth_interface)
472	572	CLEAN_IF_NULL(auth_name)
473
474	562	auth_interface->name = auth_name;
475	562	auth_interface->next = NULL;
476
477	562	daemon->authinterface = auth_interface;
478
479
480		// daemon->cnames
481	562	struct cname cn = (struct cname)gb_alloc_data(sizeof(struct cname));
482	562	char *cname_alias = gb_get_null_terminated(&data, &size);
483	562	char *cname_target = gb_get_null_terminated(&data, &size);
484
485	562	CLEAN_IF_NULL(cn)
486	562	CLEAN_IF_NULL(cname_alias)
487	558	CLEAN_IF_NULL(cname_target)
488
489	554	cn->alias = cname_alias;
490	554	cn->target = cname_target;
491	554	daemon->cnames = cn;
492
493
494		// daemon->ptr
495	554	struct ptr_record ptr = (struct ptr_record )gb_alloc_data(sizeof(struct ptr_record));
496	554	CLEAN_IF_NULL(ptr)
497
498	554	char *ptr_name = gb_get_null_terminated(&data, &size);
499	554	CLEAN_IF_NULL(ptr_name)
500	551	ptr->name = ptr_name;
501	551	daemon->ptr = ptr;
502
503	551	if (size > *size2) {
504	0	goto cleanup;
505	0	}
506
507		// daemon->dhcp
508	551	struct dhcp_context dhcp_c = (struct dhcp_context ) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
509
510	551	char *dhcp_c_temp_in = gb_get_null_terminated(&data, &size);
511
512	551	struct dhcp_netid dhcp_c_netid = (struct dhcp_netid ) gb_alloc_data(sizeof(struct dhcp_netid));
513	551	char *dhcp_netid_net = gb_get_null_terminated(&data, &size);
514
515	551	CLEAN_IF_NULL(dhcp_c)
516	544	CLEAN_IF_NULL(dhcp_c_temp_in)
517	542	CLEAN_IF_NULL(dhcp_c_netid)
518	542	CLEAN_IF_NULL(dhcp_netid_net)
519
520	540	dhcp_c->next = NULL;
521	540	dhcp_c->current = NULL;
522	540	dhcp_c_netid->net = dhcp_netid_net;
523	540	dhcp_c->filter = dhcp_c_netid;
524	540	dhcp_c->template_interface = dhcp_c_temp_in;
525
526	540	daemon->dhcp = dhcp_c;
527
528
529		// daemon->dhcp6
530	540	struct dhcp_context dhcp6_c = (struct dhcp_context ) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
531
532	540	char *dhcp6_c_temp_in = gb_get_null_terminated(&data, &size);
533
534	540	struct dhcp_netid dhcp6_c_netid = (struct dhcp_netid ) gb_alloc_data(sizeof(struct dhcp_netid));
535	540	char *dhcp6_netid_net = gb_get_null_terminated(&data, &size);
536
537	540	CLEAN_IF_NULL(dhcp6_c)
538	536	CLEAN_IF_NULL(dhcp6_c_temp_in)
539	535	CLEAN_IF_NULL(dhcp6_c_netid)
540	535	CLEAN_IF_NULL(dhcp6_netid_net)
541
542	530	dhcp6_c->next = NULL;
543	530	dhcp6_c->current = NULL;
544	530	dhcp6_c_netid->net = dhcp6_netid_net;
545	530	dhcp6_c->filter = dhcp6_c_netid;
546	530	dhcp6_c->template_interface = dhcp6_c_temp_in;
547
548	530	daemon->dhcp6 = dhcp6_c;
549
550		// daemon->doing_dhcp6
551	530	daemon->doing_dhcp6 = 1;
552
553		// daemon->dhcp_buffs
554	530	char *dhcp_buff = gb_alloc_data(DHCP_BUFF_SZ);
555	530	char *dhcp_buff2 = gb_alloc_data(DHCP_BUFF_SZ);
556	530	char *dhcp_buff3 = gb_alloc_data(DHCP_BUFF_SZ);
557
558	530	CLEAN_IF_NULL(dhcp_buff)
559	530	CLEAN_IF_NULL(dhcp_buff2)
560	530	CLEAN_IF_NULL(dhcp_buff3)
561
562	530	daemon->dhcp_buff = dhcp_buff;
563	530	daemon->dhcp_buff2 = dhcp_buff2;
564	530	daemon->dhcp_buff3 = dhcp_buff3;
565
566
567
568		// daemon->ignore_addr
569	530	struct bogus_addr bb = (struct bogus_addr )gb_alloc_data(sizeof(struct bogus_addr));
570	530	CLEAN_IF_NULL(bb)
571
572	530	daemon->ignore_addr = bb;
573
574		// daemon->doctors
575	530	if (size > *size2) {
576	0	goto cleanup;
577	0	}
578
579	530	struct doctor doctors = (struct doctor )gb_alloc_data(sizeof(struct doctor));
580	530	CLEAN_IF_NULL(doctors)
581
582	530	doctors->next = NULL;
583	530	daemon->doctors = doctors;
584
585	530	retval = 0;
586	530	goto ret;
587	321	cleanup:
588	321	retval = -1;
589
590	851	ret:
591	851	return retval;
592	321	}