/src/fuzz_header.h

Source (jump to first uncovered line)
/* Copyright 2021 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

#include "dnsmasq.h"

extern void fuzz_blockdata_cleanup();

// Simple garbage collector 
#define GB_SIZE 100

void *pointer_arr[GB_SIZE];
static int pointer_idx = 0;

// If the garbage collector is used then this must be called as first thing
// during a fuzz run.
void gb_init() {
  pointer_idx = 0;

   for (int i = 0; i < GB_SIZE; i++) {
     pointer_arr[i] = NULL;
   }
}

void gb_cleanup() {
  for(int i = 0; i < GB_SIZE; i++) {
    if (pointer_arr[i] != NULL) {
      free(pointer_arr[i]);
    }
  }
}

char *get_len_null_terminated(const uint8_t **data, size_t *size, size_t to_get) {
  if (*size < to_get || (int)*size < 0) {
    return NULL;
  }

  char *new_s = malloc(to_get + 1);
  memcpy(new_s, *data, to_get);
  new_s[to_get] = '\0';

  *data = *data+to_get;
  *size -= to_get;
  return new_s;
}

char *get_null_terminated(const uint8_t **data, size_t *size) {
#define STR_SIZE 75
  return get_len_null_terminated(data, size, STR_SIZE);
}

char *gb_get_random_data(const uint8_t **data, size_t *size, size_t to_get) {
  if (*size < to_get || (int)*size < 0) {
    return NULL;
  }

  char *new_s = malloc(to_get);
  memcpy(new_s, *data, to_get);

  pointer_arr[pointer_idx++] = (void*)new_s;
  
  *data = *data + to_get;
  *size -= to_get;

  return new_s;
}

char *gb_get_null_terminated(const uint8_t **data, size_t *size) {

  char *nstr = get_null_terminated(data, size);
  if (nstr == NULL) {
    return NULL;
  }
  pointer_arr[pointer_idx++] = (void*)nstr;
  return nstr;
}

char *gb_get_len_null_terminated(const uint8_t **data, size_t *size, size_t to_get) {

  char *nstr = get_len_null_terminated(data, size, to_get);
  if (nstr != NULL) {
    pointer_arr[pointer_idx++] = (void*)nstr;
  }
  return nstr;
}

char *gb_alloc_data(size_t len) {
  char *ptr = calloc(1, len);
  pointer_arr[pointer_idx++] = (void*)ptr;
  
  return ptr;
}

short get_short(const uint8_t **data, size_t *size) {
  if (*size <= 0) return 0;
  short c = (short)(*data)[0];
  *data += 1;
  *size-=1;
  return c;
}

int get_int(const uint8_t **data, size_t *size) {
  if (*size <= 4) return 0;
  const uint8_t *ptr = *data;
  int val = *((int*)ptr);
  *data += 4;
  *size -= 4;
  return val;
}
// end simple garbage collector.

const uint8_t *syscall_data = NULL;
size_t syscall_size = 0;


int fuzz_ioctl(int fd, unsigned long request, void *arg) {
  int fd2 = fd;
  unsigned long request2 = request;
  void *arg_ptr = arg;

  // SIOCGSTAMP
  if (request == SIOCGSTAMP) {
    struct timeval *tv = (struct timeval*)arg_ptr;
    if (tv == NULL) {
      return 0;
    }

    char *rand_tv = gb_get_random_data(&syscall_data, &syscall_size, sizeof(struct timeval));
    if (rand_tv == NULL) {
      return -1;
    }

    memcpy(tv, rand_tv, sizeof(struct timeval));
    return 0;
  }

  if (request == SIOCGIFNAME) {
    //printf("We got a SIOCGIFNAME\n");
    struct ifreq *ifr = (struct ifreq*)arg_ptr;
    if (ifr == NULL) {
      return -1;
    }
    for (int i = 0; i < IF_NAMESIZE; i++) {
      if (syscall_size > 0 && syscall_data != NULL) {
        ifr->ifr_name[i] = (char)*syscall_data;
        syscall_data += 1;
        syscall_size -= 1;
      }
      else {
        ifr->ifr_name[i] = 'A';
      }
    }
    ifr->ifr_name[IF_NAMESIZE-1] = '\0';
    return 0;
    //return -1;
  }
  if (request == SIOCGIFFLAGS) {
    return 0;
  }
  if (request == SIOCGIFADDR) {
    return 0;
  }

  // 
  int retval = ioctl(fd2, request2, arg_ptr); 
  return retval;
}


// Sysytem call wrappers
static char v = 0;
ssize_t fuzz_recvmsg(int sockfd, struct msghdr *msg, int flags) {
  
  struct iovec *target = msg->msg_iov;

  //printf("recvmsg 1 \n");
  if (syscall_size > 1) {
    char r = *syscall_data;
    syscall_data += 1;
    syscall_size -= 1;

    if (r == 12) {
      //printf("recvmsg 2\n");
      return -1;
    }
  }

  int j = 0;
  if (msg->msg_control != NULL) {
    for (;j < CMSG_SPACE(sizeof(struct in_pktinfo)); j++)
    {
      if (syscall_size > 0 && syscall_data != NULL) {
        ((char*)msg->msg_control)[j] = *syscall_data;
        syscall_data += 1;
        syscall_size -= 1;
      }
      else {
        ((char*)msg->msg_control)[j] = 'A';
      }
    }
  }

  int i = 0;
  for (; i < target->iov_len; i++) {
    if (syscall_size > 0 && syscall_data != NULL) {
      ((char*)target->iov_base)[i] = *syscall_data;
      syscall_data += 1;
      syscall_size -= 1;
    }
    else {
      ((char*)target->iov_base)[i] = 'A';
    }
  }

  if (msg->msg_namelen > 0) {
    memset(msg->msg_name, 0, msg->msg_namelen);
  }

  return i;
}


// dnsmasq specific stuff
int init_daemon(const uint8_t **data2, size_t *size2) {
  const uint8_t *data = *data2;
  size_t size = *size2;

  int retval = 0;

#define CLEAN_IF_NULL(arg) if (arg == NULL) goto cleanup;

  // Initialize daemon
  daemon = (struct daemon*)gb_alloc_data(sizeof(struct daemon));
  CLEAN_IF_NULL(daemon)

  // daemon misc
  daemon->max_ttl = get_int(&data, &size);
  daemon->neg_ttl = get_int(&data, &size);
  daemon->local_ttl = get_int(&data, &size);
  daemon->min_cache_ttl = get_int(&data, &size);

  // daemon->namebuff.
  char *daemon_namebuff = gb_get_len_null_terminated(&data, &size, MAXDNAME);
  daemon->namebuff = daemon_namebuff;

  // daemon->naptr
  struct naptr *naptr_ptr = (struct naptr*)gb_alloc_data(sizeof(struct naptr));
  char *naptr_name = gb_get_null_terminated(&data, &size);
  char *naptr_replace = gb_get_null_terminated(&data, &size);
  char *naptr_regexp = gb_get_null_terminated(&data, &size);
  char *naptr_services = gb_get_null_terminated(&data, &size);
  char *naptr_flags = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(naptr_ptr)
  CLEAN_IF_NULL(naptr_name)
  CLEAN_IF_NULL(naptr_replace)
  CLEAN_IF_NULL(naptr_regexp)
  CLEAN_IF_NULL(naptr_services)
  CLEAN_IF_NULL(naptr_flags)

  naptr_ptr->name = naptr_name;
  naptr_ptr->replace = naptr_replace;
  naptr_ptr->regexp = naptr_regexp;
  naptr_ptr->services = naptr_services;
  naptr_ptr->flags = naptr_flags;

  daemon->naptr = naptr_ptr;

  // daemon->int_names
  struct interface_name *int_namses = (struct interface_name*)gb_alloc_data(sizeof(struct interface_name));

  char *int_name = gb_get_null_terminated(&data, &size);
  char *int_intr = gb_get_null_terminated(&data, &size);
  CLEAN_IF_NULL(int_namses)
  CLEAN_IF_NULL(int_name)
  CLEAN_IF_NULL(int_intr)
  int_namses->name = int_name;
  int_namses->intr = int_intr;

  struct addrlist *d_addrlist = (struct addrlist*)gb_alloc_data(sizeof(struct addrlist));
  CLEAN_IF_NULL(d_addrlist)
  d_addrlist->flags = get_int(&data, &size);
  d_addrlist->prefixlen = get_int(&data, &size);
  int_namses->addr = d_addrlist;

  daemon->int_names = int_namses;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->addrbuf
  char *adbuf = gb_alloc_data(200);
  CLEAN_IF_NULL(adbuf)
  daemon->addrbuff = adbuf;

  // daemon->auth_zones
  struct auth_zone *d_az = (struct auth_zone*)gb_alloc_data(sizeof(struct auth_zone));
  char *auth_domain = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(d_az)
  CLEAN_IF_NULL(auth_domain)
  d_az->domain = auth_domain;
  daemon->auth_zones = d_az;

  // deamon->mxnames
  struct mx_srv_record *mx_srv_rec = (struct mx_srv_record*)gb_alloc_data(sizeof(struct mx_srv_record));
  char *mx_name = gb_get_null_terminated(&data, &size);
  char *mx_target = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(mx_srv_rec)
  CLEAN_IF_NULL(mx_target)
  CLEAN_IF_NULL(mx_name)

  mx_srv_rec->next = daemon->mxnames;
  daemon->mxnames = mx_srv_rec;
  mx_srv_rec->name = mx_name;
  mx_srv_rec->target = mx_target;
  mx_srv_rec->issrv = get_int(&data, &size);
  mx_srv_rec->weight = get_int(&data, &size);
  mx_srv_rec->priority = get_int(&data, &size);
  mx_srv_rec->srvport = get_int(&data, &size);
  //data += 40;
  //size -= 40;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->txt
  struct txt_record *txt_record = (struct txt_record *)gb_alloc_data(sizeof(struct txt_record));
  char *txt_record_name =  gb_get_null_terminated(&data, &size);
  char *txt_record_txt = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(txt_record)
  CLEAN_IF_NULL(txt_record_name)
  CLEAN_IF_NULL(txt_record_txt)

  txt_record->name = txt_record_name;
  txt_record->txt = (unsigned char*)txt_record_txt;
  txt_record->class2 = (get_short(&data, &size) % 10);
  daemon->txt = txt_record;

  // daemon->rr
  struct txt_record *rr_record = (struct txt_record *)gb_alloc_data(sizeof(struct txt_record));
  char *rr_record_name =  gb_get_null_terminated(&data, &size);
  char *rr_record_txt = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(rr_record)
  CLEAN_IF_NULL(rr_record_name)
  CLEAN_IF_NULL(rr_record_txt)

  rr_record->name = rr_record_name;
  rr_record->txt = (unsigned char*)rr_record_txt;
  rr_record->class2 = (get_short(&data, &size) % 10);
  daemon->rr = rr_record;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->relay4
  //struct dhcp_relay *dr = (struct dhcp_relay*)gb_alloc_data(sizeof(struct dhcp_relay));
  struct dhcp_relay *dr = (struct dhcp_relay*)gb_get_random_data(&data, &size, sizeof(struct dhcp_relay));
  char *dr_interface = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(dr)
  CLEAN_IF_NULL(dr_interface)
  dr->interface = dr_interface;
  dr->next = NULL;
  //dr->current = NULL;
  daemon->relay4 = dr;

  // deamon->bridges
  struct dhcp_bridge *db = (struct dhcp_bridge*)gb_alloc_data(sizeof(struct dhcp_bridge));
  char *db_interface = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(db)
  CLEAN_IF_NULL(db_interface)

  if (strlen(db_interface) > IF_NAMESIZE) {
    for (int i = 0; i < IF_NAMESIZE; i++) {
      db->iface[i] = db_interface[i];
    }
  } else {
    for (int i = 0; i < strlen(db_interface); i++) {
      db->iface[i] = db_interface[i];
    }
  }


  struct dhcp_bridge *db_alias = (struct dhcp_bridge*)gb_alloc_data(sizeof(struct dhcp_bridge));
  //struct dhcp_bridge *db_alias = (struct dhcp_bridge*)gb_get_random_data(&data, &size, sizeof(struct dhcp_bridge));
  char *db_alias_interface = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(db_alias)
  CLEAN_IF_NULL(db_alias_interface)

  if (strlen(db_alias_interface) > IF_NAMESIZE) {
    for (int i = 0; i < IF_NAMESIZE; i++) {
      db_alias->iface[i] = db_alias_interface[i];
    }
  } else {
    for (int i = 0; i < strlen(db_alias_interface); i++) {
      db_alias->iface[i] = db_alias_interface[i];
    }
  }
  db->alias = db_alias;
  daemon->bridges = db;

  // daemon->if_names
  struct iname *in = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *iname_name = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(in)
  CLEAN_IF_NULL(iname_name)

  in->name = iname_name;
  in->next = NULL;

  daemon->if_names = in;

  // daemon->if_addrs
  struct iname *in_addr = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *iname_name_addr = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(in_addr)
  CLEAN_IF_NULL(iname_name_addr)

  in_addr->name = iname_name_addr;
  in_addr->next = NULL;

  daemon->if_addrs = in_addr;

  // daemon->if_except
  struct iname *in_except = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *iname_name_except = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(in_except)
  CLEAN_IF_NULL(iname_name_except)

  in_except->name = iname_name_except;
  in_except->next = NULL;

  daemon->if_except = in_except;

  // daemon->dhcp_except
  struct iname *except = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *name_except = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(except)
  CLEAN_IF_NULL(name_except)

  except->name = name_except;
  except->next = NULL;

  daemon->dhcp_except = except;

  // daemon->authinterface
  struct iname *auth_interface = (struct iname*)gb_get_random_data(&data, &size, sizeof(struct iname));
  char *auth_name = gb_get_null_terminated(&data, &size);
  
  CLEAN_IF_NULL(auth_interface)
  CLEAN_IF_NULL(auth_name)

  auth_interface->name = auth_name;
  auth_interface->next = NULL;

  daemon->authinterface = auth_interface;


  // daemon->cnames
  struct cname *cn = (struct cname*)gb_alloc_data(sizeof(struct cname));
  char *cname_alias = gb_get_null_terminated(&data, &size);
  char *cname_target = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(cn)
  CLEAN_IF_NULL(cname_alias)
  CLEAN_IF_NULL(cname_target)

  cn->alias = cname_alias;
  cn->target = cname_target;
  daemon->cnames = cn;


  // daemon->ptr
  struct ptr_record *ptr = (struct ptr_record *)gb_alloc_data(sizeof(struct ptr_record));
  CLEAN_IF_NULL(ptr)

  char *ptr_name = gb_get_null_terminated(&data, &size);
  CLEAN_IF_NULL(ptr_name)
  ptr->name = ptr_name;
  daemon->ptr = ptr;

  if (size > *size2) {
    goto cleanup;
  }

  // daemon->dhcp
  struct dhcp_context *dhcp_c = (struct dhcp_context *) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
  
  char *dhcp_c_temp_in = gb_get_null_terminated(&data, &size);

  struct dhcp_netid *dhcp_c_netid = (struct dhcp_netid *) gb_alloc_data(sizeof(struct dhcp_netid));
  char *dhcp_netid_net = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(dhcp_c)
  CLEAN_IF_NULL(dhcp_c_temp_in)
  CLEAN_IF_NULL(dhcp_c_netid)
  CLEAN_IF_NULL(dhcp_netid_net)

  dhcp_c->next = NULL;
  dhcp_c->current = NULL;
  dhcp_c_netid->net = dhcp_netid_net;
  dhcp_c->filter = dhcp_c_netid;
  dhcp_c->template_interface = dhcp_c_temp_in;

  daemon->dhcp = dhcp_c;


  // daemon->dhcp6
  struct dhcp_context *dhcp6_c = (struct dhcp_context *) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
  
  char *dhcp6_c_temp_in = gb_get_null_terminated(&data, &size);

  struct dhcp_netid *dhcp6_c_netid = (struct dhcp_netid *) gb_alloc_data(sizeof(struct dhcp_netid));
  char *dhcp6_netid_net = gb_get_null_terminated(&data, &size);

  CLEAN_IF_NULL(dhcp6_c)
  CLEAN_IF_NULL(dhcp6_c_temp_in)
  CLEAN_IF_NULL(dhcp6_c_netid)
  CLEAN_IF_NULL(dhcp6_netid_net)

  dhcp6_c->next = NULL;
  dhcp6_c->current = NULL;
  dhcp6_c_netid->net = dhcp6_netid_net;
  dhcp6_c->filter = dhcp6_c_netid;
  dhcp6_c->template_interface = dhcp6_c_temp_in;

  daemon->dhcp6 = dhcp6_c;

  // daemon->doing_dhcp6
  daemon->doing_dhcp6 = 1;

  // daemon->dhcp_buffs
  char *dhcp_buff = gb_alloc_data(DHCP_BUFF_SZ);
  char *dhcp_buff2 = gb_alloc_data(DHCP_BUFF_SZ);
  char *dhcp_buff3 = gb_alloc_data(DHCP_BUFF_SZ);

  CLEAN_IF_NULL(dhcp_buff)
  CLEAN_IF_NULL(dhcp_buff2)
  CLEAN_IF_NULL(dhcp_buff3)

  daemon->dhcp_buff = dhcp_buff;
  daemon->dhcp_buff2 = dhcp_buff2;
  daemon->dhcp_buff3 = dhcp_buff3;



  // daemon->ignore_addr
  struct bogus_addr *bb = (struct bogus_addr *)gb_alloc_data(sizeof(struct bogus_addr));
  CLEAN_IF_NULL(bb)

  daemon->ignore_addr = bb;

  // daemon->doctors
  if (size > *size2) {
    goto cleanup;
  }

  struct doctor *doctors = (struct doctor *)gb_alloc_data(sizeof(struct doctor));
  CLEAN_IF_NULL(doctors)

  doctors->next = NULL;
  daemon->doctors = doctors;

  retval = 0;
  goto ret;
cleanup:
  retval = -1;

ret:
  return retval;
}

Coverage Report

Created: 2025-07-11 07:00

Line	Count	Source (jump to first uncovered line)
1		/* Copyright 2021 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12
13		#include "dnsmasq.h"
14
15		extern void fuzz_blockdata_cleanup();
16
17		// Simple garbage collector
18	166k	#define GB_SIZE 100
19
20		void *pointer_arr[GB_SIZE];
21		static int pointer_idx = 0;
22
23		// If the garbage collector is used then this must be called as first thing
24		// during a fuzz run.
25	823	void gb_init() {
26	823	pointer_idx = 0;
27
28	83.1k	for (int i = 0; i < GB_SIZE; i++) {
29	82.3k	pointer_arr[i] = NULL;
30	82.3k	}
31	823	}
32
33	823	void gb_cleanup() {
34	83.1k	for(int i = 0; i < GB_SIZE; i++) {
35	82.3k	if (pointer_arr[i] != NULL) {
36	37.1k	free(pointer_arr[i]);
37	37.1k	}
38	82.3k	}
39	823	}
40
41	20.7k	char get_len_null_terminated(const uint8_t data, size_t size, size_t to_get) {
42	20.7k	if (size < to_get \|\| (int)size < 0) {
43	739	return NULL;
44	739	}
45
46	20.0k	char *new_s = malloc(to_get + 1);
47	20.0k	memcpy(new_s, *data, to_get);
48	20.0k	new_s[to_get] = '\0';
49
50	20.0k	data = data+to_get;
51	20.0k	*size -= to_get;
52	20.0k	return new_s;
53	20.7k	}
54
55	18.9k	char get_null_terminated(const uint8_t data, size_t size) {
56	18.9k	#define STR_SIZE 75
57	18.9k	return get_len_null_terminated(data, size, STR_SIZE);
58	18.9k	}
59
60	4.50k	char gb_get_random_data(const uint8_t data, size_t size, size_t to_get) {
61	4.50k	if (size < to_get \|\| (int)size < 0) {
62	52	return NULL;
63	52	}
64
65	4.45k	char *new_s = malloc(to_get);
66	4.45k	memcpy(new_s, *data, to_get);
67
68	4.45k	pointer_arr[pointer_idx++] = (void*)new_s;
69
70	4.45k	data = data + to_get;
71	4.45k	*size -= to_get;
72
73	4.45k	return new_s;
74	4.50k	}
75
76	18.9k	char gb_get_null_terminated(const uint8_t data, size_t size) {
77
78	18.9k	char *nstr = get_null_terminated(data, size);
79	18.9k	if (nstr == NULL) {
80	565	return NULL;
81	565	}
82	18.3k	pointer_arr[pointer_idx++] = (void*)nstr;
83	18.3k	return nstr;
84	18.9k	}
85
86	1.83k	char gb_get_len_null_terminated(const uint8_t data, size_t size, size_t to_get) {
87
88	1.83k	char *nstr = get_len_null_terminated(data, size, to_get);
89	1.83k	if (nstr != NULL) {
90	1.66k	pointer_arr[pointer_idx++] = (void*)nstr;
91	1.66k	}
92	1.83k	return nstr;
93	1.83k	}
94
95	12.6k	char *gb_alloc_data(size_t len) {
96	12.6k	char *ptr = calloc(1, len);
97	12.6k	pointer_arr[pointer_idx++] = (void*)ptr;
98
99	12.6k	return ptr;
100	12.6k	}
101
102	1.30k	short get_short(const uint8_t *data, size_t size) {
103	1.30k	if (*size <= 0) return 0;
104	1.30k	short c = (short)(*data)[0];
105	1.30k	*data += 1;
106	1.30k	*size-=1;
107	1.30k	return c;
108	1.30k	}
109
110	7.60k	int get_int(const uint8_t *data, size_t size) {
111	7.60k	if (*size <= 4) return 0;
112	7.53k	const uint8_t ptr = data;
113	7.53k	int val = ((int)ptr);
114	7.53k	*data += 4;
115	7.53k	*size -= 4;
116	7.53k	return val;
117	7.60k	}
118		// end simple garbage collector.
119
120		const uint8_t *syscall_data = NULL;
121		size_t syscall_size = 0;
122
123
124	0	int fuzz_ioctl(int fd, unsigned long request, void *arg) {
125	0	int fd2 = fd;
126	0	unsigned long request2 = request;
127	0	void *arg_ptr = arg;
128
129		// SIOCGSTAMP
130	0	if (request == SIOCGSTAMP) {
131	0	struct timeval tv = (struct timeval)arg_ptr;
132	0	if (tv == NULL) {
133	0	return 0;
134	0	}
135
136	0	char *rand_tv = gb_get_random_data(&syscall_data, &syscall_size, sizeof(struct timeval));
137	0	if (rand_tv == NULL) {
138	0	return -1;
139	0	}
140
141	0	memcpy(tv, rand_tv, sizeof(struct timeval));
142	0	return 0;
143	0	}
144
145	0	if (request == SIOCGIFNAME) {
146		//printf("We got a SIOCGIFNAME\n");
147	0	struct ifreq ifr = (struct ifreq)arg_ptr;
148	0	if (ifr == NULL) {
149	0	return -1;
150	0	}
151	0	for (int i = 0; i < IF_NAMESIZE; i++) {
152	0	if (syscall_size > 0 && syscall_data != NULL) {
153	0	ifr->ifr_name[i] = (char)*syscall_data;
154	0	syscall_data += 1;
155	0	syscall_size -= 1;
156	0	}
157	0	else {
158	0	ifr->ifr_name[i] = 'A';
159	0	}
160	0	}
161	0	ifr->ifr_name[IF_NAMESIZE-1] = '\0';
162	0	return 0;
163		//return -1;
164	0	}
165	0	if (request == SIOCGIFFLAGS) {
166	0	return 0;
167	0	}
168	0	if (request == SIOCGIFADDR) {
169	0	return 0;
170	0	}
171
172		//
173	0	int retval = ioctl(fd2, request2, arg_ptr);
174	0	return retval;
175	0	}
176
177
178		// Sysytem call wrappers
179		static char v = 0;
180	0	ssize_t fuzz_recvmsg(int sockfd, struct msghdr *msg, int flags) {
181
182	0	struct iovec *target = msg->msg_iov;
183
184		//printf("recvmsg 1 \n");
185	0	if (syscall_size > 1) {
186	0	char r = *syscall_data;
187	0	syscall_data += 1;
188	0	syscall_size -= 1;
189
190	0	if (r == 12) {
191		//printf("recvmsg 2\n");
192	0	return -1;
193	0	}
194	0	}
195
196	0	int j = 0;
197	0	if (msg->msg_control != NULL) {
198	0	for (;j < CMSG_SPACE(sizeof(struct in_pktinfo)); j++)
199	0	{
200	0	if (syscall_size > 0 && syscall_data != NULL) {
201	0	((char)msg->msg_control)[j] = syscall_data;
202	0	syscall_data += 1;
203	0	syscall_size -= 1;
204	0	}
205	0	else {
206	0	((char*)msg->msg_control)[j] = 'A';
207	0	}
208	0	}
209	0	}
210
211	0	int i = 0;
212	0	for (; i < target->iov_len; i++) {
213	0	if (syscall_size > 0 && syscall_data != NULL) {
214	0	((char)target->iov_base)[i] = syscall_data;
215	0	syscall_data += 1;
216	0	syscall_size -= 1;
217	0	}
218	0	else {
219	0	((char*)target->iov_base)[i] = 'A';
220	0	}
221	0	}
222
223	0	if (msg->msg_namelen > 0) {
224	0	memset(msg->msg_name, 0, msg->msg_namelen);
225	0	}
226
227	0	return i;
228	0	}
229
230
231		// dnsmasq specific stuff
232	823	int init_daemon(const uint8_t *data2, size_t size2) {
233	823	const uint8_t data = data2;
234	823	size_t size = *size2;
235
236	823	int retval = 0;
237
238	35.7k	#define CLEAN_IF_NULL(arg) if (arg == NULL) goto cleanup;
239
240		// Initialize daemon
241	823	daemon = (struct daemon*)gb_alloc_data(sizeof(struct daemon));
242	823	CLEAN_IF_NULL(daemon)
243
244		// daemon misc
245	823	daemon->max_ttl = get_int(&data, &size);
246	823	daemon->neg_ttl = get_int(&data, &size);
247	823	daemon->local_ttl = get_int(&data, &size);
248	823	daemon->min_cache_ttl = get_int(&data, &size);
249
250		// daemon->namebuff.
251	823	char *daemon_namebuff = gb_get_len_null_terminated(&data, &size, MAXDNAME);
252	823	daemon->namebuff = daemon_namebuff;
253
254		// daemon->naptr
255	823	struct naptr naptr_ptr = (struct naptr)gb_alloc_data(sizeof(struct naptr));
256	823	char *naptr_name = gb_get_null_terminated(&data, &size);
257	823	char *naptr_replace = gb_get_null_terminated(&data, &size);
258	823	char *naptr_regexp = gb_get_null_terminated(&data, &size);
259	823	char *naptr_services = gb_get_null_terminated(&data, &size);
260	823	char *naptr_flags = gb_get_null_terminated(&data, &size);
261
262	823	CLEAN_IF_NULL(naptr_ptr)
263	823	CLEAN_IF_NULL(naptr_name)
264	788	CLEAN_IF_NULL(naptr_replace)
265	781	CLEAN_IF_NULL(naptr_regexp)
266	778	CLEAN_IF_NULL(naptr_services)
267	770	CLEAN_IF_NULL(naptr_flags)
268
269	767	naptr_ptr->name = naptr_name;
270	767	naptr_ptr->replace = naptr_replace;
271	767	naptr_ptr->regexp = naptr_regexp;
272	767	naptr_ptr->services = naptr_services;
273	767	naptr_ptr->flags = naptr_flags;
274
275	767	daemon->naptr = naptr_ptr;
276
277		// daemon->int_names
278	767	struct interface_name int_namses = (struct interface_name)gb_alloc_data(sizeof(struct interface_name));
279
280	767	char *int_name = gb_get_null_terminated(&data, &size);
281	767	char *int_intr = gb_get_null_terminated(&data, &size);
282	767	CLEAN_IF_NULL(int_namses)
283	767	CLEAN_IF_NULL(int_name)
284	752	CLEAN_IF_NULL(int_intr)
285	742	int_namses->name = int_name;
286	742	int_namses->intr = int_intr;
287
288	742	struct addrlist d_addrlist = (struct addrlist)gb_alloc_data(sizeof(struct addrlist));
289	742	CLEAN_IF_NULL(d_addrlist)
290	742	d_addrlist->flags = get_int(&data, &size);
291	742	d_addrlist->prefixlen = get_int(&data, &size);
292	742	int_namses->addr = d_addrlist;
293
294	742	daemon->int_names = int_namses;
295
296	742	if (size > *size2) {
297	0	goto cleanup;
298	0	}
299
300		// daemon->addrbuf
301	742	char *adbuf = gb_alloc_data(200);
302	742	CLEAN_IF_NULL(adbuf)
303	742	daemon->addrbuff = adbuf;
304
305		// daemon->auth_zones
306	742	struct auth_zone d_az = (struct auth_zone)gb_alloc_data(sizeof(struct auth_zone));
307	742	char *auth_domain = gb_get_null_terminated(&data, &size);
308
309	742	CLEAN_IF_NULL(d_az)
310	742	CLEAN_IF_NULL(auth_domain)
311	716	d_az->domain = auth_domain;
312	716	daemon->auth_zones = d_az;
313
314		// deamon->mxnames
315	716	struct mx_srv_record mx_srv_rec = (struct mx_srv_record)gb_alloc_data(sizeof(struct mx_srv_record));
316	716	char *mx_name = gb_get_null_terminated(&data, &size);
317	716	char *mx_target = gb_get_null_terminated(&data, &size);
318
319	716	CLEAN_IF_NULL(mx_srv_rec)
320	716	CLEAN_IF_NULL(mx_target)
321	706	CLEAN_IF_NULL(mx_name)
322
323	706	mx_srv_rec->next = daemon->mxnames;
324	706	daemon->mxnames = mx_srv_rec;
325	706	mx_srv_rec->name = mx_name;
326	706	mx_srv_rec->target = mx_target;
327	706	mx_srv_rec->issrv = get_int(&data, &size);
328	706	mx_srv_rec->weight = get_int(&data, &size);
329	706	mx_srv_rec->priority = get_int(&data, &size);
330	706	mx_srv_rec->srvport = get_int(&data, &size);
331		//data += 40;
332		//size -= 40;
333
334	706	if (size > *size2) {
335	0	goto cleanup;
336	0	}
337
338		// daemon->txt
339	706	struct txt_record txt_record = (struct txt_record )gb_alloc_data(sizeof(struct txt_record));
340	706	char *txt_record_name = gb_get_null_terminated(&data, &size);
341	706	char *txt_record_txt = gb_get_null_terminated(&data, &size);
342
343	706	CLEAN_IF_NULL(txt_record)
344	706	CLEAN_IF_NULL(txt_record_name)
345	678	CLEAN_IF_NULL(txt_record_txt)
346
347	669	txt_record->name = txt_record_name;
348	669	txt_record->txt = (unsigned char*)txt_record_txt;
349	669	txt_record->class2 = (get_short(&data, &size) % 10);
350	669	daemon->txt = txt_record;
351
352		// daemon->rr
353	669	struct txt_record rr_record = (struct txt_record )gb_alloc_data(sizeof(struct txt_record));
354	669	char *rr_record_name = gb_get_null_terminated(&data, &size);
355	669	char *rr_record_txt = gb_get_null_terminated(&data, &size);
356
357	669	CLEAN_IF_NULL(rr_record)
358	669	CLEAN_IF_NULL(rr_record_name)
359	658	CLEAN_IF_NULL(rr_record_txt)
360
361	638	rr_record->name = rr_record_name;
362	638	rr_record->txt = (unsigned char*)rr_record_txt;
363	638	rr_record->class2 = (get_short(&data, &size) % 10);
364	638	daemon->rr = rr_record;
365
366	638	if (size > *size2) {
367	0	goto cleanup;
368	0	}
369
370		// daemon->relay4
371		//struct dhcp_relay dr = (struct dhcp_relay)gb_alloc_data(sizeof(struct dhcp_relay));
372	638	struct dhcp_relay dr = (struct dhcp_relay)gb_get_random_data(&data, &size, sizeof(struct dhcp_relay));
373	638	char *dr_interface = gb_get_null_terminated(&data, &size);
374
375	638	CLEAN_IF_NULL(dr)
376	621	CLEAN_IF_NULL(dr_interface)
377	609	dr->interface = dr_interface;
378	609	dr->next = NULL;
379		//dr->current = NULL;
380	609	daemon->relay4 = dr;
381
382		// deamon->bridges
383	609	struct dhcp_bridge db = (struct dhcp_bridge)gb_alloc_data(sizeof(struct dhcp_bridge));
384	609	char *db_interface = gb_get_null_terminated(&data, &size);
385
386	609	CLEAN_IF_NULL(db)
387	609	CLEAN_IF_NULL(db_interface)
388
389	602	if (strlen(db_interface) > IF_NAMESIZE) {
390	6.20k	for (int i = 0; i < IF_NAMESIZE; i++) {
391	5.84k	db->iface[i] = db_interface[i];
392	5.84k	}
393	365	} else {
394	1.07k	for (int i = 0; i < strlen(db_interface); i++) {
395	842	db->iface[i] = db_interface[i];
396	842	}
397	237	}
398
399
400	602	struct dhcp_bridge db_alias = (struct dhcp_bridge)gb_alloc_data(sizeof(struct dhcp_bridge));
401		//struct dhcp_bridge db_alias = (struct dhcp_bridge)gb_get_random_data(&data, &size, sizeof(struct dhcp_bridge));
402	602	char *db_alias_interface = gb_get_null_terminated(&data, &size);
403
404	602	CLEAN_IF_NULL(db_alias)
405	602	CLEAN_IF_NULL(db_alias_interface)
406
407	586	if (strlen(db_alias_interface) > IF_NAMESIZE) {
408	5.86k	for (int i = 0; i < IF_NAMESIZE; i++) {
409	5.52k	db_alias->iface[i] = db_alias_interface[i];
410	5.52k	}
411	345	} else {
412	945	for (int i = 0; i < strlen(db_alias_interface); i++) {
413	704	db_alias->iface[i] = db_alias_interface[i];
414	704	}
415	241	}
416	586	db->alias = db_alias;
417	586	daemon->bridges = db;
418
419		// daemon->if_names
420	586	struct iname in = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
421	586	char *iname_name = gb_get_null_terminated(&data, &size);
422
423	586	CLEAN_IF_NULL(in)
424	571	CLEAN_IF_NULL(iname_name)
425
426	568	in->name = iname_name;
427	568	in->next = NULL;
428
429	568	daemon->if_names = in;
430
431		// daemon->if_addrs
432	568	struct iname in_addr = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
433	568	char *iname_name_addr = gb_get_null_terminated(&data, &size);
434
435	568	CLEAN_IF_NULL(in_addr)
436	565	CLEAN_IF_NULL(iname_name_addr)
437
438	560	in_addr->name = iname_name_addr;
439	560	in_addr->next = NULL;
440
441	560	daemon->if_addrs = in_addr;
442
443		// daemon->if_except
444	560	struct iname in_except = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
445	560	char *iname_name_except = gb_get_null_terminated(&data, &size);
446
447	560	CLEAN_IF_NULL(in_except)
448	558	CLEAN_IF_NULL(iname_name_except)
449
450	557	in_except->name = iname_name_except;
451	557	in_except->next = NULL;
452
453	557	daemon->if_except = in_except;
454
455		// daemon->dhcp_except
456	557	struct iname except = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
457	557	char *name_except = gb_get_null_terminated(&data, &size);
458
459	557	CLEAN_IF_NULL(except)
460	554	CLEAN_IF_NULL(name_except)
461
462	550	except->name = name_except;
463	550	except->next = NULL;
464
465	550	daemon->dhcp_except = except;
466
467		// daemon->authinterface
468	550	struct iname auth_interface = (struct iname)gb_get_random_data(&data, &size, sizeof(struct iname));
469	550	char *auth_name = gb_get_null_terminated(&data, &size);
470
471	550	CLEAN_IF_NULL(auth_interface)
472	549	CLEAN_IF_NULL(auth_name)
473
474	540	auth_interface->name = auth_name;
475	540	auth_interface->next = NULL;
476
477	540	daemon->authinterface = auth_interface;
478
479
480		// daemon->cnames
481	540	struct cname cn = (struct cname)gb_alloc_data(sizeof(struct cname));
482	540	char *cname_alias = gb_get_null_terminated(&data, &size);
483	540	char *cname_target = gb_get_null_terminated(&data, &size);
484
485	540	CLEAN_IF_NULL(cn)
486	540	CLEAN_IF_NULL(cname_alias)
487	536	CLEAN_IF_NULL(cname_target)
488
489	532	cn->alias = cname_alias;
490	532	cn->target = cname_target;
491	532	daemon->cnames = cn;
492
493
494		// daemon->ptr
495	532	struct ptr_record ptr = (struct ptr_record )gb_alloc_data(sizeof(struct ptr_record));
496	532	CLEAN_IF_NULL(ptr)
497
498	532	char *ptr_name = gb_get_null_terminated(&data, &size);
499	532	CLEAN_IF_NULL(ptr_name)
500	529	ptr->name = ptr_name;
501	529	daemon->ptr = ptr;
502
503	529	if (size > *size2) {
504	0	goto cleanup;
505	0	}
506
507		// daemon->dhcp
508	529	struct dhcp_context dhcp_c = (struct dhcp_context ) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
509
510	529	char *dhcp_c_temp_in = gb_get_null_terminated(&data, &size);
511
512	529	struct dhcp_netid dhcp_c_netid = (struct dhcp_netid ) gb_alloc_data(sizeof(struct dhcp_netid));
513	529	char *dhcp_netid_net = gb_get_null_terminated(&data, &size);
514
515	529	CLEAN_IF_NULL(dhcp_c)
516	522	CLEAN_IF_NULL(dhcp_c_temp_in)
517	520	CLEAN_IF_NULL(dhcp_c_netid)
518	520	CLEAN_IF_NULL(dhcp_netid_net)
519
520	518	dhcp_c->next = NULL;
521	518	dhcp_c->current = NULL;
522	518	dhcp_c_netid->net = dhcp_netid_net;
523	518	dhcp_c->filter = dhcp_c_netid;
524	518	dhcp_c->template_interface = dhcp_c_temp_in;
525
526	518	daemon->dhcp = dhcp_c;
527
528
529		// daemon->dhcp6
530	518	struct dhcp_context dhcp6_c = (struct dhcp_context ) gb_get_random_data(&data, &size, sizeof(struct dhcp_context));
531
532	518	char *dhcp6_c_temp_in = gb_get_null_terminated(&data, &size);
533
534	518	struct dhcp_netid dhcp6_c_netid = (struct dhcp_netid ) gb_alloc_data(sizeof(struct dhcp_netid));
535	518	char *dhcp6_netid_net = gb_get_null_terminated(&data, &size);
536
537	518	CLEAN_IF_NULL(dhcp6_c)
538	514	CLEAN_IF_NULL(dhcp6_c_temp_in)
539	513	CLEAN_IF_NULL(dhcp6_c_netid)
540	513	CLEAN_IF_NULL(dhcp6_netid_net)
541
542	508	dhcp6_c->next = NULL;
543	508	dhcp6_c->current = NULL;
544	508	dhcp6_c_netid->net = dhcp6_netid_net;
545	508	dhcp6_c->filter = dhcp6_c_netid;
546	508	dhcp6_c->template_interface = dhcp6_c_temp_in;
547
548	508	daemon->dhcp6 = dhcp6_c;
549
550		// daemon->doing_dhcp6
551	508	daemon->doing_dhcp6 = 1;
552
553		// daemon->dhcp_buffs
554	508	char *dhcp_buff = gb_alloc_data(DHCP_BUFF_SZ);
555	508	char *dhcp_buff2 = gb_alloc_data(DHCP_BUFF_SZ);
556	508	char *dhcp_buff3 = gb_alloc_data(DHCP_BUFF_SZ);
557
558	508	CLEAN_IF_NULL(dhcp_buff)
559	508	CLEAN_IF_NULL(dhcp_buff2)
560	508	CLEAN_IF_NULL(dhcp_buff3)
561
562	508	daemon->dhcp_buff = dhcp_buff;
563	508	daemon->dhcp_buff2 = dhcp_buff2;
564	508	daemon->dhcp_buff3 = dhcp_buff3;
565
566
567
568		// daemon->ignore_addr
569	508	struct bogus_addr bb = (struct bogus_addr )gb_alloc_data(sizeof(struct bogus_addr));
570	508	CLEAN_IF_NULL(bb)
571
572	508	daemon->ignore_addr = bb;
573
574		// daemon->doctors
575	508	if (size > *size2) {
576	0	goto cleanup;
577	0	}
578
579	508	struct doctor doctors = (struct doctor )gb_alloc_data(sizeof(struct doctor));
580	508	CLEAN_IF_NULL(doctors)
581
582	508	doctors->next = NULL;
583	508	daemon->doctors = doctors;
584
585	508	retval = 0;
586	508	goto ret;
587	315	cleanup:
588	315	retval = -1;
589
590	823	ret:
591	823	return retval;
592	315	}