diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-05-29 19:24:00 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-29 19:24:00 +0200 |
| commit | efb261a95c5a81ddb148f205d74eab3714155f0d (patch) | |
| tree | 94ffe1907720e93087c3518bf1729032d13e1b84 /fuzz | |
| parent | 346bb268e22e190e79b16091817d5178a608d4a0 (diff) | |
Fix some memory errors triggered by allocation failures (#1995)
Some low hanging fruits found using nallocfuzz.
See: https://github.com/catenacyber/nallocfuzz
See: https://github.com/google/oss-fuzz/pull/9902
Most of these errors are quite trivial to fix; the only exception is the
stuff in the uthash.
If the insertion fails (because of an allocation failure), we need to
avoid some memory leaks. But the only way to check if the `HASH_ADD_*`
failed, is to perform a new lookup: a bit costly, but we don't use that
code in any critical data-path.
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/fuzz_ds_ahocorasick.cpp | 3 | ||||
| -rw-r--r-- | fuzz/fuzz_libinjection.c | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_process_packet.c | 18 |
3 files changed, 13 insertions, 10 deletions
diff --git a/fuzz/fuzz_ds_ahocorasick.cpp b/fuzz/fuzz_ds_ahocorasick.cpp index 5297236e3..e02744e52 100644 --- a/fuzz/fuzz_ds_ahocorasick.cpp +++ b/fuzz/fuzz_ds_ahocorasick.cpp @@ -133,7 +133,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { f = fopen("/dev/null", "w"); ac_automata_dump(a, f); - fclose(f); + if (f) + fclose(f); ac_automata_get_stats(a, &stats); diff --git a/fuzz/fuzz_libinjection.c b/fuzz/fuzz_libinjection.c index c878fe823..f614a62e1 100644 --- a/fuzz/fuzz_libinjection.c +++ b/fuzz/fuzz_libinjection.c @@ -12,6 +12,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* Libinjection: it wants null-terminated string */ query = malloc(size + 1); + if (!query) + return 0; memcpy(query, data, size); query[size] = '\0'; diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c index dcd15c99e..3f0694cf9 100644 --- a/fuzz/fuzz_process_packet.c +++ b/fuzz/fuzz_process_packet.c @@ -5,6 +5,7 @@ #include <stdio.h> struct ndpi_detection_module_struct *ndpi_info_mod = NULL; +struct ndpi_flow_struct ndpi_flow; static ndpi_serializer json_serializer = {}; static ndpi_serializer csv_serializer = {}; @@ -18,24 +19,23 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_init_serializer(&csv_serializer, ndpi_serialization_format_csv); } - struct ndpi_flow_struct *ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT); - memset(ndpi_flow, 0, SIZEOF_FLOW_STRUCT); + memset(&ndpi_flow, 0, SIZEOF_FLOW_STRUCT); ndpi_protocol detected_protocol = - ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0, NULL); + ndpi_detection_process_packet(ndpi_info_mod, &ndpi_flow, Data, Size, 0, NULL); ndpi_protocol guessed_protocol = - ndpi_detection_giveup(ndpi_info_mod, ndpi_flow, 1, &protocol_was_guessed); + ndpi_detection_giveup(ndpi_info_mod, &ndpi_flow, 1, &protocol_was_guessed); ndpi_reset_serializer(&json_serializer); ndpi_reset_serializer(&csv_serializer); if (protocol_was_guessed == 0) { - ndpi_dpi2json(ndpi_info_mod, ndpi_flow, detected_protocol, &json_serializer); - ndpi_dpi2json(ndpi_info_mod, ndpi_flow, detected_protocol, &csv_serializer); + ndpi_dpi2json(ndpi_info_mod, &ndpi_flow, detected_protocol, &json_serializer); + ndpi_dpi2json(ndpi_info_mod, &ndpi_flow, detected_protocol, &csv_serializer); } else { - ndpi_dpi2json(ndpi_info_mod, ndpi_flow, guessed_protocol, &json_serializer); - ndpi_dpi2json(ndpi_info_mod, ndpi_flow, guessed_protocol, &csv_serializer); + ndpi_dpi2json(ndpi_info_mod, &ndpi_flow, guessed_protocol, &json_serializer); + ndpi_dpi2json(ndpi_info_mod, &ndpi_flow, guessed_protocol, &csv_serializer); } - ndpi_free_flow(ndpi_flow); + ndpi_free_flow_data(&ndpi_flow); return 0; } |