/src/fuzz_util.cc

Source
/* Copyright 2026 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

extern "C" {
#include "dnsmasq.h"
}

#include <fuzzer/FuzzedDataProvider.h>
#include <cstdlib>
#include <cstring>
#include <string>
#include <vector>

#define STR_SIZE 75

static int init_daemon(FuzzedDataProvider &provider,
                       std::vector<void *> &allocs,
                       std::vector<std::string> &strings) {
  auto alloc = [&](size_t sz) -> void * {
    void *p = calloc(1, sz);
    if (p) allocs.push_back(p);
    return p;
  };

  auto make_string = [&](size_t max_len) -> char * {
    strings.push_back(provider.ConsumeRandomLengthString(max_len));
    return strings.back().data();
  };

  // Allocate daemon separately (not via alloc) so it can be freed last.
  // dnsmasq's free_real() dereferences daemon for metrics tracking.
  daemon = (struct daemon *)calloc(1, sizeof(struct daemon));
  if (!daemon) return -1;

  daemon->max_ttl = provider.ConsumeIntegral<int>();
  daemon->neg_ttl = provider.ConsumeIntegral<int>();
  daemon->local_ttl = provider.ConsumeIntegral<int>();
  daemon->min_cache_ttl = provider.ConsumeIntegral<int>();

  daemon->namebuff = make_string(MAXDNAME);

  // daemon->naptr
  struct naptr *naptr_ptr = (struct naptr *)alloc(sizeof(struct naptr));
  if (!naptr_ptr) return -1;
  naptr_ptr->name = make_string(STR_SIZE);
  naptr_ptr->replace = make_string(STR_SIZE);
  naptr_ptr->regexp = make_string(STR_SIZE);
  naptr_ptr->services = make_string(STR_SIZE);
  naptr_ptr->flags = make_string(STR_SIZE);
  daemon->naptr = naptr_ptr;

  // daemon->int_names
  struct interface_name *int_namses =
      (struct interface_name *)alloc(sizeof(struct interface_name));
  if (!int_namses) return -1;
  int_namses->name = make_string(STR_SIZE);
  int_namses->intr = make_string(STR_SIZE);

  struct addrlist *d_addrlist = (struct addrlist *)alloc(sizeof(struct addrlist));
  if (!d_addrlist) return -1;
  d_addrlist->flags = provider.ConsumeIntegral<int>();
  d_addrlist->prefixlen = provider.ConsumeIntegral<int>();
  int_namses->addr = d_addrlist;
  daemon->int_names = int_namses;

  // daemon->addrbuf
  char *adbuf = (char *)alloc(200);
  if (!adbuf) return -1;
  daemon->addrbuff = adbuf;

  // daemon->auth_zones
  struct auth_zone *d_az = (struct auth_zone *)alloc(sizeof(struct auth_zone));
  if (!d_az) return -1;
  d_az->domain = make_string(STR_SIZE);
  daemon->auth_zones = d_az;

  // daemon->mxnames
  struct mx_srv_record *mx_srv_rec =
      (struct mx_srv_record *)alloc(sizeof(struct mx_srv_record));
  if (!mx_srv_rec) return -1;
  mx_srv_rec->next = daemon->mxnames;
  daemon->mxnames = mx_srv_rec;
  mx_srv_rec->name = make_string(STR_SIZE);
  mx_srv_rec->target = make_string(STR_SIZE);
  mx_srv_rec->issrv = provider.ConsumeIntegral<int>();
  mx_srv_rec->weight = provider.ConsumeIntegral<int>();
  mx_srv_rec->priority = provider.ConsumeIntegral<int>();
  mx_srv_rec->srvport = provider.ConsumeIntegral<int>();

  // daemon->txt
  struct txt_record *txt_record =
      (struct txt_record *)alloc(sizeof(struct txt_record));
  if (!txt_record) return -1;
  txt_record->name = make_string(STR_SIZE);
  txt_record->txt = (unsigned char *)make_string(STR_SIZE);
  txt_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
  daemon->txt = txt_record;

  // daemon->rr
  struct txt_record *rr_record =
      (struct txt_record *)alloc(sizeof(struct txt_record));
  if (!rr_record) return -1;
  rr_record->name = make_string(STR_SIZE);
  rr_record->txt = (unsigned char *)make_string(STR_SIZE);
  rr_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
  daemon->rr = rr_record;

  // daemon->relay4
  struct dhcp_relay *dr = (struct dhcp_relay *)alloc(sizeof(struct dhcp_relay));
  if (!dr) return -1;
  dr->interface = make_string(STR_SIZE);
  dr->next = NULL;
  daemon->relay4 = dr;

  // daemon->bridges
  struct dhcp_bridge *db = (struct dhcp_bridge *)alloc(sizeof(struct dhcp_bridge));
  if (!db) return -1;
  {
    std::string iface_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
    memcpy(db->iface, iface_str.c_str(), iface_str.size() + 1);
  }

  struct dhcp_bridge *db_alias =
      (struct dhcp_bridge *)alloc(sizeof(struct dhcp_bridge));
  if (!db_alias) return -1;
  {
    std::string alias_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
    memcpy(db_alias->iface, alias_str.c_str(), alias_str.size() + 1);
  }
  db->alias = db_alias;
  daemon->bridges = db;

  // daemon->if_names, if_addrs, if_except, dhcp_except, authinterface
  auto make_iname = [&]() -> struct iname * {
    struct iname *in = (struct iname *)alloc(sizeof(struct iname));
    if (!in) return nullptr;
    in->name = make_string(STR_SIZE);
    in->next = NULL;
    return in;
  };

  daemon->if_names = make_iname();
  daemon->if_addrs = make_iname();
  daemon->if_except = make_iname();
  daemon->dhcp_except = make_iname();
  daemon->authinterface = make_iname();
  if (!daemon->if_names || !daemon->if_addrs || !daemon->if_except ||
      !daemon->dhcp_except || !daemon->authinterface)
    return -1;

  // daemon->cnames
  struct cname *cn = (struct cname *)alloc(sizeof(struct cname));
  if (!cn) return -1;
  cn->alias = make_string(STR_SIZE);
  cn->target = make_string(STR_SIZE);
  daemon->cnames = cn;

  // daemon->ptr
  struct ptr_record *ptr = (struct ptr_record *)alloc(sizeof(struct ptr_record));
  if (!ptr) return -1;
  ptr->name = make_string(STR_SIZE);
  daemon->ptr = ptr;

  // daemon->dhcp
  struct dhcp_context *dhcp_c =
      (struct dhcp_context *)alloc(sizeof(struct dhcp_context));
  if (!dhcp_c) return -1;
  dhcp_c->next = NULL;
  dhcp_c->current = NULL;
  struct dhcp_netid *dhcp_c_netid =
      (struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
  if (!dhcp_c_netid) return -1;
  dhcp_c_netid->net = make_string(STR_SIZE);
  dhcp_c->filter = dhcp_c_netid;
  dhcp_c->template_interface = make_string(STR_SIZE);
  daemon->dhcp = dhcp_c;

  // daemon->dhcp6
  struct dhcp_context *dhcp6_c =
      (struct dhcp_context *)alloc(sizeof(struct dhcp_context));
  if (!dhcp6_c) return -1;
  dhcp6_c->next = NULL;
  dhcp6_c->current = NULL;
  struct dhcp_netid *dhcp6_c_netid =
      (struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
  if (!dhcp6_c_netid) return -1;
  dhcp6_c_netid->net = make_string(STR_SIZE);
  dhcp6_c->filter = dhcp6_c_netid;
  dhcp6_c->template_interface = make_string(STR_SIZE);
  daemon->dhcp6 = dhcp6_c;

  daemon->doing_dhcp6 = 1;

  // daemon->dhcp_buffs
  daemon->dhcp_buff = (char *)alloc(DHCP_BUFF_SZ);
  daemon->dhcp_buff2 = (char *)alloc(DHCP_BUFF_SZ);
  daemon->dhcp_buff3 = (char *)alloc(DHCP_BUFF_SZ);
  if (!daemon->dhcp_buff || !daemon->dhcp_buff2 || !daemon->dhcp_buff3)
    return -1;

  // daemon->ignore_addr
  struct bogus_addr *bb = (struct bogus_addr *)alloc(sizeof(struct bogus_addr));
  if (!bb) return -1;
  daemon->ignore_addr = bb;

  // daemon->doctors
  struct doctor *doctors = (struct doctor *)alloc(sizeof(struct doctor));
  if (!doctors) return -1;
  doctors->next = NULL;
  daemon->doctors = doctors;

  return 0;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  FuzzedDataProvider provider(data, size);

  std::vector<void *> allocs;
  std::vector<std::string> strings;
  strings.reserve(40);

  int succ = init_daemon(provider, allocs, strings);
  if (succ == 0) {
    std::string t1_str = provider.ConsumeRandomLengthString(MAXDNAME);
    std::string t2_str = provider.ConsumeRandomLengthString(MAXDNAME);
    if (t1_str.empty() || t2_str.empty())
      goto cleanup;

    char *t1 = t1_str.data();
    char *t2 = t2_str.data();

    // Util logic
    hostname_isequal(t1, t2);

    legal_hostname(t1);
    char *tmp = canonicalise(t2, NULL);
    if (tmp != NULL) {
      free(tmp);
    }

    char *tmp_out = (char *)malloc(30);
    if (tmp_out) {
      int mac_type;
      parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, NULL);
      parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, &mac_type);
      free(tmp_out);
    }

    wildcard_match(t1, t2);
    if (t1_str.size() < t2_str.size()) {
      wildcard_matchn(t1, t2, t1_str.size());
    } else {
      wildcard_matchn(t1, t2, t2_str.size());
    }
    hostname_issubdomain(t1, t2);

    union all_addr addr1;
    memset(&addr1, 0, sizeof(union all_addr));
    is_name_synthetic(0, t1, &addr1);
  }

cleanup:
  for (void *p : allocs)
    free(p);
  // Free daemon last since dnsmasq's free_real() dereferences it.
  free(daemon);
  daemon = NULL;

  return 0;
}

Coverage Report

Created: 2026-03-07 07:04

Line	Count	Source
1		/* Copyright 2026 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12
13		extern "C" {
14		#include "dnsmasq.h"
15		}
16
17		#include <fuzzer/FuzzedDataProvider.h>
18		#include <cstdlib>
19		#include <cstring>
20		#include <string>
21		#include <vector>
22
23	15.6k	#define STR_SIZE 75
24
25		static int init_daemon(FuzzedDataProvider &provider,
26		std::vector<void *> &allocs,
27	581	std::vector<std::string> &strings) {
28	15.6k	auto alloc = [&](size_t sz) -> void * {
29	15.6k	void *p = calloc(1, sz);
30	15.6k	if (p) allocs.push_back(p);
31	15.6k	return p;
32	15.6k	};
33
34	16.2k	auto make_string = [&](size_t max_len) -> char * {
35	16.2k	strings.push_back(provider.ConsumeRandomLengthString(max_len));
36	16.2k	return strings.back().data();
37	16.2k	};
38
39		// Allocate daemon separately (not via alloc) so it can be freed last.
40		// dnsmasq's free_real() dereferences daemon for metrics tracking.
41	581	daemon = (struct daemon *)calloc(1, sizeof(struct daemon));
42	581	if (!daemon) return -1;
43
44	581	daemon->max_ttl = provider.ConsumeIntegral<int>();
45	581	daemon->neg_ttl = provider.ConsumeIntegral<int>();
46	581	daemon->local_ttl = provider.ConsumeIntegral<int>();
47	581	daemon->min_cache_ttl = provider.ConsumeIntegral<int>();
48
49	581	daemon->namebuff = make_string(MAXDNAME);
50
51		// daemon->naptr
52	581	struct naptr naptr_ptr = (struct naptr )alloc(sizeof(struct naptr));
53	581	if (!naptr_ptr) return -1;
54	581	naptr_ptr->name = make_string(STR_SIZE);
55	581	naptr_ptr->replace = make_string(STR_SIZE);
56	581	naptr_ptr->regexp = make_string(STR_SIZE);
57	581	naptr_ptr->services = make_string(STR_SIZE);
58	581	naptr_ptr->flags = make_string(STR_SIZE);
59	581	daemon->naptr = naptr_ptr;
60
61		// daemon->int_names
62	581	struct interface_name *int_namses =
63	581	(struct interface_name *)alloc(sizeof(struct interface_name));
64	581	if (!int_namses) return -1;
65	581	int_namses->name = make_string(STR_SIZE);
66	581	int_namses->intr = make_string(STR_SIZE);
67
68	581	struct addrlist d_addrlist = (struct addrlist )alloc(sizeof(struct addrlist));
69	581	if (!d_addrlist) return -1;
70	581	d_addrlist->flags = provider.ConsumeIntegral<int>();
71	581	d_addrlist->prefixlen = provider.ConsumeIntegral<int>();
72	581	int_namses->addr = d_addrlist;
73	581	daemon->int_names = int_namses;
74
75		// daemon->addrbuf
76	581	char adbuf = (char )alloc(200);
77	581	if (!adbuf) return -1;
78	581	daemon->addrbuff = adbuf;
79
80		// daemon->auth_zones
81	581	struct auth_zone d_az = (struct auth_zone )alloc(sizeof(struct auth_zone));
82	581	if (!d_az) return -1;
83	581	d_az->domain = make_string(STR_SIZE);
84	581	daemon->auth_zones = d_az;
85
86		// daemon->mxnames
87	581	struct mx_srv_record *mx_srv_rec =
88	581	(struct mx_srv_record *)alloc(sizeof(struct mx_srv_record));
89	581	if (!mx_srv_rec) return -1;
90	581	mx_srv_rec->next = daemon->mxnames;
91	581	daemon->mxnames = mx_srv_rec;
92	581	mx_srv_rec->name = make_string(STR_SIZE);
93	581	mx_srv_rec->target = make_string(STR_SIZE);
94	581	mx_srv_rec->issrv = provider.ConsumeIntegral<int>();
95	581	mx_srv_rec->weight = provider.ConsumeIntegral<int>();
96	581	mx_srv_rec->priority = provider.ConsumeIntegral<int>();
97	581	mx_srv_rec->srvport = provider.ConsumeIntegral<int>();
98
99		// daemon->txt
100	581	struct txt_record *txt_record =
101	581	(struct txt_record *)alloc(sizeof(struct txt_record));
102	581	if (!txt_record) return -1;
103	581	txt_record->name = make_string(STR_SIZE);
104	581	txt_record->txt = (unsigned char *)make_string(STR_SIZE);
105	581	txt_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
106	581	daemon->txt = txt_record;
107
108		// daemon->rr
109	581	struct txt_record *rr_record =
110	581	(struct txt_record *)alloc(sizeof(struct txt_record));
111	581	if (!rr_record) return -1;
112	581	rr_record->name = make_string(STR_SIZE);
113	581	rr_record->txt = (unsigned char *)make_string(STR_SIZE);
114	581	rr_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
115	581	daemon->rr = rr_record;
116
117		// daemon->relay4
118	581	struct dhcp_relay dr = (struct dhcp_relay )alloc(sizeof(struct dhcp_relay));
119	581	if (!dr) return -1;
120	581	dr->interface = make_string(STR_SIZE);
121	581	dr->next = NULL;
122	581	daemon->relay4 = dr;
123
124		// daemon->bridges
125	581	struct dhcp_bridge db = (struct dhcp_bridge )alloc(sizeof(struct dhcp_bridge));
126	581	if (!db) return -1;
127	581	{
128	581	std::string iface_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
129	581	memcpy(db->iface, iface_str.c_str(), iface_str.size() + 1);
130	581	}
131
132	581	struct dhcp_bridge *db_alias =
133	581	(struct dhcp_bridge *)alloc(sizeof(struct dhcp_bridge));
134	581	if (!db_alias) return -1;
135	581	{
136	581	std::string alias_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
137	581	memcpy(db_alias->iface, alias_str.c_str(), alias_str.size() + 1);
138	581	}
139	581	db->alias = db_alias;
140	581	daemon->bridges = db;
141
142		// daemon->if_names, if_addrs, if_except, dhcp_except, authinterface
143	2.90k	auto make_iname = [&]() -> struct iname * {
144	2.90k	struct iname in = (struct iname )alloc(sizeof(struct iname));
145	2.90k	if (!in) return nullptr;
146	2.90k	in->name = make_string(STR_SIZE);
147	2.90k	in->next = NULL;
148	2.90k	return in;
149	2.90k	};
150
151	581	daemon->if_names = make_iname();
152	581	daemon->if_addrs = make_iname();
153	581	daemon->if_except = make_iname();
154	581	daemon->dhcp_except = make_iname();
155	581	daemon->authinterface = make_iname();
156	581	if (!daemon->if_names \|\| !daemon->if_addrs \|\| !daemon->if_except \|\|
157	581	!daemon->dhcp_except \|\| !daemon->authinterface)
158	0	return -1;
159
160		// daemon->cnames
161	581	struct cname cn = (struct cname )alloc(sizeof(struct cname));
162	581	if (!cn) return -1;
163	581	cn->alias = make_string(STR_SIZE);
164	581	cn->target = make_string(STR_SIZE);
165	581	daemon->cnames = cn;
166
167		// daemon->ptr
168	581	struct ptr_record ptr = (struct ptr_record )alloc(sizeof(struct ptr_record));
169	581	if (!ptr) return -1;
170	581	ptr->name = make_string(STR_SIZE);
171	581	daemon->ptr = ptr;
172
173		// daemon->dhcp
174	581	struct dhcp_context *dhcp_c =
175	581	(struct dhcp_context *)alloc(sizeof(struct dhcp_context));
176	581	if (!dhcp_c) return -1;
177	581	dhcp_c->next = NULL;
178	581	dhcp_c->current = NULL;
179	581	struct dhcp_netid *dhcp_c_netid =
180	581	(struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
181	581	if (!dhcp_c_netid) return -1;
182	581	dhcp_c_netid->net = make_string(STR_SIZE);
183	581	dhcp_c->filter = dhcp_c_netid;
184	581	dhcp_c->template_interface = make_string(STR_SIZE);
185	581	daemon->dhcp = dhcp_c;
186
187		// daemon->dhcp6
188	581	struct dhcp_context *dhcp6_c =
189	581	(struct dhcp_context *)alloc(sizeof(struct dhcp_context));
190	581	if (!dhcp6_c) return -1;
191	581	dhcp6_c->next = NULL;
192	581	dhcp6_c->current = NULL;
193	581	struct dhcp_netid *dhcp6_c_netid =
194	581	(struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
195	581	if (!dhcp6_c_netid) return -1;
196	581	dhcp6_c_netid->net = make_string(STR_SIZE);
197	581	dhcp6_c->filter = dhcp6_c_netid;
198	581	dhcp6_c->template_interface = make_string(STR_SIZE);
199	581	daemon->dhcp6 = dhcp6_c;
200
201	581	daemon->doing_dhcp6 = 1;
202
203		// daemon->dhcp_buffs
204	581	daemon->dhcp_buff = (char *)alloc(DHCP_BUFF_SZ);
205	581	daemon->dhcp_buff2 = (char *)alloc(DHCP_BUFF_SZ);
206	581	daemon->dhcp_buff3 = (char *)alloc(DHCP_BUFF_SZ);
207	581	if (!daemon->dhcp_buff \|\| !daemon->dhcp_buff2 \|\| !daemon->dhcp_buff3)
208	0	return -1;
209
210		// daemon->ignore_addr
211	581	struct bogus_addr bb = (struct bogus_addr )alloc(sizeof(struct bogus_addr));
212	581	if (!bb) return -1;
213	581	daemon->ignore_addr = bb;
214
215		// daemon->doctors
216	581	struct doctor doctors = (struct doctor )alloc(sizeof(struct doctor));
217	581	if (!doctors) return -1;
218	581	doctors->next = NULL;
219	581	daemon->doctors = doctors;
220
221	581	return 0;
222	581	}
223
224	581	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
225	581	FuzzedDataProvider provider(data, size);
226
227	581	std::vector<void *> allocs;
228	581	std::vector<std::string> strings;
229	581	strings.reserve(40);
230
231	581	int succ = init_daemon(provider, allocs, strings);
232	581	if (succ == 0) {
233	581	std::string t1_str = provider.ConsumeRandomLengthString(MAXDNAME);
234	581	std::string t2_str = provider.ConsumeRandomLengthString(MAXDNAME);
235	581	if (t1_str.empty() \|\| t2_str.empty())
236	205	goto cleanup;
237
238	376	char *t1 = t1_str.data();
239	376	char *t2 = t2_str.data();
240
241		// Util logic
242	376	hostname_isequal(t1, t2);
243
244	376	legal_hostname(t1);
245	376	char *tmp = canonicalise(t2, NULL);
246	376	if (tmp != NULL) {
247	97	free(tmp);
248	97	}
249
250	376	char tmp_out = (char )malloc(30);
251	376	if (tmp_out) {
252	376	int mac_type;
253	376	parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, NULL);
254	376	parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, &mac_type);
255	376	free(tmp_out);
256	376	}
257
258	376	wildcard_match(t1, t2);
259	376	if (t1_str.size() < t2_str.size()) {
260	63	wildcard_matchn(t1, t2, t1_str.size());
261	313	} else {
262	313	wildcard_matchn(t1, t2, t2_str.size());
263	313	}
264	376	hostname_issubdomain(t1, t2);
265
266	376	union all_addr addr1;
267	376	memset(&addr1, 0, sizeof(union all_addr));
268	376	is_name_synthetic(0, t1, &addr1);
269	376	}
270
271	581	cleanup:
272	581	for (void *p : allocs)
273	15.6k	free(p);
274		// Free daemon last since dnsmasq's free_real() dereferences it.
275	581	free(daemon);
276	581	daemon = NULL;
277
278	581	return 0;
279	581	}