/src/fuzz_util.cc

Source
/* Copyright 2026 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

extern "C" {
#include "dnsmasq.h"
}

#include <fuzzer/FuzzedDataProvider.h>
#include <cstdlib>
#include <cstring>
#include <string>
#include <vector>

#define STR_SIZE 75

static int init_daemon(FuzzedDataProvider &provider,
                       std::vector<void *> &allocs,
                       std::vector<std::string> &strings) {
  auto alloc = [&](size_t sz) -> void * {
    void *p = calloc(1, sz);
    if (p) allocs.push_back(p);
    return p;
  };

  auto make_string = [&](size_t max_len) -> char * {
    strings.push_back(provider.ConsumeRandomLengthString(max_len));
    return strings.back().data();
  };

  // Allocate daemon separately (not via alloc) so it can be freed last.
  // dnsmasq's free_real() dereferences daemon for metrics tracking.
  daemon = (struct daemon *)calloc(1, sizeof(struct daemon));
  if (!daemon) return -1;

  daemon->max_ttl = provider.ConsumeIntegral<int>();
  daemon->neg_ttl = provider.ConsumeIntegral<int>();
  daemon->local_ttl = provider.ConsumeIntegral<int>();
  daemon->min_cache_ttl = provider.ConsumeIntegral<int>();

  daemon->namebuff = make_string(MAXDNAME);

  // daemon->naptr
  struct naptr *naptr_ptr = (struct naptr *)alloc(sizeof(struct naptr));
  if (!naptr_ptr) return -1;
  naptr_ptr->name = make_string(STR_SIZE);
  naptr_ptr->replace = make_string(STR_SIZE);
  naptr_ptr->regexp = make_string(STR_SIZE);
  naptr_ptr->services = make_string(STR_SIZE);
  naptr_ptr->flags = make_string(STR_SIZE);
  daemon->naptr = naptr_ptr;

  // daemon->int_names
  struct interface_name *int_namses =
      (struct interface_name *)alloc(sizeof(struct interface_name));
  if (!int_namses) return -1;
  int_namses->name = make_string(STR_SIZE);
  int_namses->intr = make_string(STR_SIZE);

  struct addrlist *d_addrlist = (struct addrlist *)alloc(sizeof(struct addrlist));
  if (!d_addrlist) return -1;
  d_addrlist->flags = provider.ConsumeIntegral<int>();
  d_addrlist->prefixlen = provider.ConsumeIntegral<int>();
  int_namses->addr = d_addrlist;
  daemon->int_names = int_namses;

  // daemon->addrbuf
  char *adbuf = (char *)alloc(200);
  if (!adbuf) return -1;
  daemon->addrbuff = adbuf;

  // daemon->auth_zones
  struct auth_zone *d_az = (struct auth_zone *)alloc(sizeof(struct auth_zone));
  if (!d_az) return -1;
  d_az->domain = make_string(STR_SIZE);
  daemon->auth_zones = d_az;

  // daemon->mxnames
  struct mx_srv_record *mx_srv_rec =
      (struct mx_srv_record *)alloc(sizeof(struct mx_srv_record));
  if (!mx_srv_rec) return -1;
  mx_srv_rec->next = daemon->mxnames;
  daemon->mxnames = mx_srv_rec;
  mx_srv_rec->name = make_string(STR_SIZE);
  mx_srv_rec->target = make_string(STR_SIZE);
  mx_srv_rec->issrv = provider.ConsumeIntegral<int>();
  mx_srv_rec->weight = provider.ConsumeIntegral<int>();
  mx_srv_rec->priority = provider.ConsumeIntegral<int>();
  mx_srv_rec->srvport = provider.ConsumeIntegral<int>();

  // daemon->txt
  struct txt_record *txt_record =
      (struct txt_record *)alloc(sizeof(struct txt_record));
  if (!txt_record) return -1;
  txt_record->name = make_string(STR_SIZE);
  txt_record->txt = (unsigned char *)make_string(STR_SIZE);
  txt_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
  daemon->txt = txt_record;

  // daemon->rr
  struct txt_record *rr_record =
      (struct txt_record *)alloc(sizeof(struct txt_record));
  if (!rr_record) return -1;
  rr_record->name = make_string(STR_SIZE);
  rr_record->txt = (unsigned char *)make_string(STR_SIZE);
  rr_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
  daemon->rr = rr_record;

  // daemon->relay4
  struct dhcp_relay *dr = (struct dhcp_relay *)alloc(sizeof(struct dhcp_relay));
  if (!dr) return -1;
  dr->interface = make_string(STR_SIZE);
  dr->next = NULL;
  daemon->relay4 = dr;

  // daemon->bridges
  struct dhcp_bridge *db = (struct dhcp_bridge *)alloc(sizeof(struct dhcp_bridge));
  if (!db) return -1;
  {
    std::string iface_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
    memcpy(db->iface, iface_str.c_str(), iface_str.size() + 1);
  }

  struct dhcp_bridge *db_alias =
      (struct dhcp_bridge *)alloc(sizeof(struct dhcp_bridge));
  if (!db_alias) return -1;
  {
    std::string alias_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
    memcpy(db_alias->iface, alias_str.c_str(), alias_str.size() + 1);
  }
  db->alias = db_alias;
  daemon->bridges = db;

  // daemon->if_names, if_addrs, if_except, dhcp_except, authinterface
  auto make_iname = [&]() -> struct iname * {
    struct iname *in = (struct iname *)alloc(sizeof(struct iname));
    if (!in) return nullptr;
    in->name = make_string(STR_SIZE);
    in->next = NULL;
    return in;
  };

  daemon->if_names = make_iname();
  daemon->if_addrs = make_iname();
  daemon->if_except = make_iname();
  daemon->dhcp_except = make_iname();
  daemon->authinterface = make_iname();
  if (!daemon->if_names || !daemon->if_addrs || !daemon->if_except ||
      !daemon->dhcp_except || !daemon->authinterface)
    return -1;

  // daemon->cnames
  struct cname *cn = (struct cname *)alloc(sizeof(struct cname));
  if (!cn) return -1;
  cn->alias = make_string(STR_SIZE);
  cn->target = make_string(STR_SIZE);
  daemon->cnames = cn;

  // daemon->ptr
  struct ptr_record *ptr = (struct ptr_record *)alloc(sizeof(struct ptr_record));
  if (!ptr) return -1;
  ptr->name = make_string(STR_SIZE);
  daemon->ptr = ptr;

  // daemon->dhcp
  struct dhcp_context *dhcp_c =
      (struct dhcp_context *)alloc(sizeof(struct dhcp_context));
  if (!dhcp_c) return -1;
  dhcp_c->next = NULL;
  dhcp_c->current = NULL;
  struct dhcp_netid *dhcp_c_netid =
      (struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
  if (!dhcp_c_netid) return -1;
  dhcp_c_netid->net = make_string(STR_SIZE);
  dhcp_c->filter = dhcp_c_netid;
  dhcp_c->template_interface = make_string(STR_SIZE);
  daemon->dhcp = dhcp_c;

  // daemon->dhcp6
  struct dhcp_context *dhcp6_c =
      (struct dhcp_context *)alloc(sizeof(struct dhcp_context));
  if (!dhcp6_c) return -1;
  dhcp6_c->next = NULL;
  dhcp6_c->current = NULL;
  struct dhcp_netid *dhcp6_c_netid =
      (struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
  if (!dhcp6_c_netid) return -1;
  dhcp6_c_netid->net = make_string(STR_SIZE);
  dhcp6_c->filter = dhcp6_c_netid;
  dhcp6_c->template_interface = make_string(STR_SIZE);
  daemon->dhcp6 = dhcp6_c;

  daemon->doing_dhcp6 = 1;

  // daemon->dhcp_buffs
  daemon->dhcp_buff = (char *)alloc(DHCP_BUFF_SZ);
  daemon->dhcp_buff2 = (char *)alloc(DHCP_BUFF_SZ);
  daemon->dhcp_buff3 = (char *)alloc(DHCP_BUFF_SZ);
  if (!daemon->dhcp_buff || !daemon->dhcp_buff2 || !daemon->dhcp_buff3)
    return -1;

  // daemon->ignore_addr
  struct bogus_addr *bb = (struct bogus_addr *)alloc(sizeof(struct bogus_addr));
  if (!bb) return -1;
  daemon->ignore_addr = bb;

  // daemon->doctors
  struct doctor *doctors = (struct doctor *)alloc(sizeof(struct doctor));
  if (!doctors) return -1;
  doctors->next = NULL;
  daemon->doctors = doctors;

  return 0;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  FuzzedDataProvider provider(data, size);

  std::vector<void *> allocs;
  std::vector<std::string> strings;
  strings.reserve(40);

  int succ = init_daemon(provider, allocs, strings);
  if (succ == 0) {
    std::string t1_str = provider.ConsumeRandomLengthString(MAXDNAME);
    std::string t2_str = provider.ConsumeRandomLengthString(MAXDNAME);
    if (t1_str.empty() || t2_str.empty())
      goto cleanup;

    char *t1 = t1_str.data();
    char *t2 = t2_str.data();

    // Util logic
    hostname_isequal(t1, t2);

    legal_hostname(t1);
    char *tmp = canonicalise(t2, NULL);
    if (tmp != NULL) {
      free(tmp);
    }

    char *tmp_out = (char *)malloc(30);
    if (tmp_out) {
      int mac_type;
      parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, NULL);
      parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, &mac_type);
      free(tmp_out);
    }

    wildcard_match(t1, t2);
    if (t1_str.size() < t2_str.size()) {
      wildcard_matchn(t1, t2, t1_str.size());
    } else {
      wildcard_matchn(t1, t2, t2_str.size());
    }
    hostname_issubdomain(t1, t2);

    union all_addr addr1;
    memset(&addr1, 0, sizeof(union all_addr));
    is_name_synthetic(0, t1, &addr1);
  }

cleanup:
  for (void *p : allocs)
    free(p);
  // Free daemon last since dnsmasq's free_real() dereferences it.
  free(daemon);
  daemon = NULL;

  return 0;
}

Coverage Report

Created: 2026-05-30 06:08

Line	Count	Source
1		/* Copyright 2026 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12
13		extern "C" {
14		#include "dnsmasq.h"
15		}
16
17		#include <fuzzer/FuzzedDataProvider.h>
18		#include <cstdlib>
19		#include <cstring>
20		#include <string>
21		#include <vector>
22
23	26.0k	#define STR_SIZE 75
24
25		static int init_daemon(FuzzedDataProvider &provider,
26		std::vector<void *> &allocs,
27	964	std::vector<std::string> &strings) {
28	26.0k	auto alloc = [&](size_t sz) -> void * {
29	26.0k	void *p = calloc(1, sz);
30	26.0k	if (p) allocs.push_back(p);
31	26.0k	return p;
32	26.0k	};
33
34	26.9k	auto make_string = [&](size_t max_len) -> char * {
35	26.9k	strings.push_back(provider.ConsumeRandomLengthString(max_len));
36	26.9k	return strings.back().data();
37	26.9k	};
38
39		// Allocate daemon separately (not via alloc) so it can be freed last.
40		// dnsmasq's free_real() dereferences daemon for metrics tracking.
41	964	daemon = (struct daemon *)calloc(1, sizeof(struct daemon));
42	964	if (!daemon) return -1;
43
44	964	daemon->max_ttl = provider.ConsumeIntegral<int>();
45	964	daemon->neg_ttl = provider.ConsumeIntegral<int>();
46	964	daemon->local_ttl = provider.ConsumeIntegral<int>();
47	964	daemon->min_cache_ttl = provider.ConsumeIntegral<int>();
48
49	964	daemon->namebuff = make_string(MAXDNAME);
50
51		// daemon->naptr
52	964	struct naptr naptr_ptr = (struct naptr )alloc(sizeof(struct naptr));
53	964	if (!naptr_ptr) return -1;
54	964	naptr_ptr->name = make_string(STR_SIZE);
55	964	naptr_ptr->replace = make_string(STR_SIZE);
56	964	naptr_ptr->regexp = make_string(STR_SIZE);
57	964	naptr_ptr->services = make_string(STR_SIZE);
58	964	naptr_ptr->flags = make_string(STR_SIZE);
59	964	daemon->naptr = naptr_ptr;
60
61		// daemon->int_names
62	964	struct interface_name *int_namses =
63	964	(struct interface_name *)alloc(sizeof(struct interface_name));
64	964	if (!int_namses) return -1;
65	964	int_namses->name = make_string(STR_SIZE);
66	964	int_namses->intr = make_string(STR_SIZE);
67
68	964	struct addrlist d_addrlist = (struct addrlist )alloc(sizeof(struct addrlist));
69	964	if (!d_addrlist) return -1;
70	964	d_addrlist->flags = provider.ConsumeIntegral<int>();
71	964	d_addrlist->prefixlen = provider.ConsumeIntegral<int>();
72	964	int_namses->addr = d_addrlist;
73	964	daemon->int_names = int_namses;
74
75		// daemon->addrbuf
76	964	char adbuf = (char )alloc(200);
77	964	if (!adbuf) return -1;
78	964	daemon->addrbuff = adbuf;
79
80		// daemon->auth_zones
81	964	struct auth_zone d_az = (struct auth_zone )alloc(sizeof(struct auth_zone));
82	964	if (!d_az) return -1;
83	964	d_az->domain = make_string(STR_SIZE);
84	964	daemon->auth_zones = d_az;
85
86		// daemon->mxnames
87	964	struct mx_srv_record *mx_srv_rec =
88	964	(struct mx_srv_record *)alloc(sizeof(struct mx_srv_record));
89	964	if (!mx_srv_rec) return -1;
90	964	mx_srv_rec->next = daemon->mxnames;
91	964	daemon->mxnames = mx_srv_rec;
92	964	mx_srv_rec->name = make_string(STR_SIZE);
93	964	mx_srv_rec->target = make_string(STR_SIZE);
94	964	mx_srv_rec->issrv = provider.ConsumeIntegral<int>();
95	964	mx_srv_rec->weight = provider.ConsumeIntegral<int>();
96	964	mx_srv_rec->priority = provider.ConsumeIntegral<int>();
97	964	mx_srv_rec->srvport = provider.ConsumeIntegral<int>();
98
99		// daemon->txt
100	964	struct txt_record *txt_record =
101	964	(struct txt_record *)alloc(sizeof(struct txt_record));
102	964	if (!txt_record) return -1;
103	964	txt_record->name = make_string(STR_SIZE);
104	964	txt_record->txt = (unsigned char *)make_string(STR_SIZE);
105	964	txt_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
106	964	daemon->txt = txt_record;
107
108		// daemon->rr
109	964	struct txt_record *rr_record =
110	964	(struct txt_record *)alloc(sizeof(struct txt_record));
111	964	if (!rr_record) return -1;
112	964	rr_record->name = make_string(STR_SIZE);
113	964	rr_record->txt = (unsigned char *)make_string(STR_SIZE);
114	964	rr_record->class2 = provider.ConsumeIntegralInRange<short>(0, 9);
115	964	daemon->rr = rr_record;
116
117		// daemon->relay4
118	964	struct dhcp_relay dr = (struct dhcp_relay )alloc(sizeof(struct dhcp_relay));
119	964	if (!dr) return -1;
120	964	dr->interface = make_string(STR_SIZE);
121	964	dr->next = NULL;
122	964	daemon->relay4 = dr;
123
124		// daemon->bridges
125	964	struct dhcp_bridge db = (struct dhcp_bridge )alloc(sizeof(struct dhcp_bridge));
126	964	if (!db) return -1;
127	964	{
128	964	std::string iface_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
129	964	memcpy(db->iface, iface_str.c_str(), iface_str.size() + 1);
130	964	}
131
132	964	struct dhcp_bridge *db_alias =
133	964	(struct dhcp_bridge *)alloc(sizeof(struct dhcp_bridge));
134	964	if (!db_alias) return -1;
135	964	{
136	964	std::string alias_str = provider.ConsumeRandomLengthString(IF_NAMESIZE - 1);
137	964	memcpy(db_alias->iface, alias_str.c_str(), alias_str.size() + 1);
138	964	}
139	964	db->alias = db_alias;
140	964	daemon->bridges = db;
141
142		// daemon->if_names, if_addrs, if_except, dhcp_except, authinterface
143	4.82k	auto make_iname = [&]() -> struct iname * {
144	4.82k	struct iname in = (struct iname )alloc(sizeof(struct iname));
145	4.82k	if (!in) return nullptr;
146	4.82k	in->name = make_string(STR_SIZE);
147	4.82k	in->next = NULL;
148	4.82k	return in;
149	4.82k	};
150
151	964	daemon->if_names = make_iname();
152	964	daemon->if_addrs = make_iname();
153	964	daemon->if_except = make_iname();
154	964	daemon->dhcp_except = make_iname();
155	964	daemon->authinterface = make_iname();
156	964	if (!daemon->if_names \|\| !daemon->if_addrs \|\| !daemon->if_except \|\|
157	964	!daemon->dhcp_except \|\| !daemon->authinterface)
158	0	return -1;
159
160		// daemon->cnames
161	964	struct cname cn = (struct cname )alloc(sizeof(struct cname));
162	964	if (!cn) return -1;
163	964	cn->alias = make_string(STR_SIZE);
164	964	cn->target = make_string(STR_SIZE);
165	964	daemon->cnames = cn;
166
167		// daemon->ptr
168	964	struct ptr_record ptr = (struct ptr_record )alloc(sizeof(struct ptr_record));
169	964	if (!ptr) return -1;
170	964	ptr->name = make_string(STR_SIZE);
171	964	daemon->ptr = ptr;
172
173		// daemon->dhcp
174	964	struct dhcp_context *dhcp_c =
175	964	(struct dhcp_context *)alloc(sizeof(struct dhcp_context));
176	964	if (!dhcp_c) return -1;
177	964	dhcp_c->next = NULL;
178	964	dhcp_c->current = NULL;
179	964	struct dhcp_netid *dhcp_c_netid =
180	964	(struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
181	964	if (!dhcp_c_netid) return -1;
182	964	dhcp_c_netid->net = make_string(STR_SIZE);
183	964	dhcp_c->filter = dhcp_c_netid;
184	964	dhcp_c->template_interface = make_string(STR_SIZE);
185	964	daemon->dhcp = dhcp_c;
186
187		// daemon->dhcp6
188	964	struct dhcp_context *dhcp6_c =
189	964	(struct dhcp_context *)alloc(sizeof(struct dhcp_context));
190	964	if (!dhcp6_c) return -1;
191	964	dhcp6_c->next = NULL;
192	964	dhcp6_c->current = NULL;
193	964	struct dhcp_netid *dhcp6_c_netid =
194	964	(struct dhcp_netid *)alloc(sizeof(struct dhcp_netid));
195	964	if (!dhcp6_c_netid) return -1;
196	964	dhcp6_c_netid->net = make_string(STR_SIZE);
197	964	dhcp6_c->filter = dhcp6_c_netid;
198	964	dhcp6_c->template_interface = make_string(STR_SIZE);
199	964	daemon->dhcp6 = dhcp6_c;
200
201	964	daemon->doing_dhcp6 = 1;
202
203		// daemon->dhcp_buffs
204	964	daemon->dhcp_buff = (char *)alloc(DHCP_BUFF_SZ);
205	964	daemon->dhcp_buff2 = (char *)alloc(DHCP_BUFF_SZ);
206	964	daemon->dhcp_buff3 = (char *)alloc(DHCP_BUFF_SZ);
207	964	if (!daemon->dhcp_buff \|\| !daemon->dhcp_buff2 \|\| !daemon->dhcp_buff3)
208	0	return -1;
209
210		// daemon->ignore_addr
211	964	struct bogus_addr bb = (struct bogus_addr )alloc(sizeof(struct bogus_addr));
212	964	if (!bb) return -1;
213	964	daemon->ignore_addr = bb;
214
215		// daemon->doctors
216	964	struct doctor doctors = (struct doctor )alloc(sizeof(struct doctor));
217	964	if (!doctors) return -1;
218	964	doctors->next = NULL;
219	964	daemon->doctors = doctors;
220
221	964	return 0;
222	964	}
223
224	964	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
225	964	FuzzedDataProvider provider(data, size);
226
227	964	std::vector<void *> allocs;
228	964	std::vector<std::string> strings;
229	964	strings.reserve(40);
230
231	964	int succ = init_daemon(provider, allocs, strings);
232	964	if (succ == 0) {
233	964	std::string t1_str = provider.ConsumeRandomLengthString(MAXDNAME);
234	964	std::string t2_str = provider.ConsumeRandomLengthString(MAXDNAME);
235	964	if (t1_str.empty() \|\| t2_str.empty())
236	361	goto cleanup;
237
238	603	char *t1 = t1_str.data();
239	603	char *t2 = t2_str.data();
240
241		// Util logic
242	603	hostname_isequal(t1, t2);
243
244	603	legal_hostname(t1);
245	603	char *tmp = canonicalise(t2, NULL);
246	603	if (tmp != NULL) {
247	291	free(tmp);
248	291	}
249
250	603	char tmp_out = (char )malloc(30);
251	603	if (tmp_out) {
252	603	int mac_type;
253	603	parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, NULL);
254	603	parse_hex(t1, (unsigned char *)tmp_out, 30, NULL, &mac_type);
255	603	free(tmp_out);
256	603	}
257
258	603	wildcard_match(t1, t2);
259	603	if (t1_str.size() < t2_str.size()) {
260	112	wildcard_matchn(t1, t2, t1_str.size());
261	491	} else {
262	491	wildcard_matchn(t1, t2, t2_str.size());
263	491	}
264	603	hostname_issubdomain(t1, t2);
265
266	603	union all_addr addr1;
267	603	memset(&addr1, 0, sizeof(union all_addr));
268	603	is_name_synthetic(0, t1, &addr1);
269	603	}
270
271	964	cleanup:
272	964	for (void *p : allocs)
273	26.0k	free(p);
274		// Free daemon last since dnsmasq's free_real() dereferences it.
275	964	free(daemon);
276	964	daemon = NULL;
277
278	964	return 0;
279	964	}