diff options
Diffstat (limited to 'tests/unit/unit1655.c')
-rw-r--r-- | tests/unit/unit1655.c | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/tests/unit/unit1655.c b/tests/unit/unit1655.c new file mode 100644 index 00000000..7fea134d --- /dev/null +++ b/tests/unit/unit1655.c @@ -0,0 +1,113 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 2019, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ +#include "curlcheck.h" + +#include "doh.h" /* from the lib dir */ + +static CURLcode unit_setup(void) +{ + /* whatever you want done first */ + return CURLE_OK; +} + +static void unit_stop(void) +{ + /* done before shutting down and exiting */ +} + +UNITTEST_START + +/* introduce a scope and prove the corner case with write overflow, + * so we can prove this test would detect it and that it is properly fixed + */ +do { + const char *bad = "this.is.a.hostname.where.each.individual.part.is.within." + "the.sixtythree.character.limit.but.still.long.enough.to." + "trigger.the.the.buffer.overflow......it.is.chosen.to.be." + "of.a.length.such.that.it.causes.a.two.byte.buffer......." + "overwrite.....making.it.longer.causes.doh.encode.to....." + ".return.early.so.dont.change.its.length.xxxx.xxxxxxxxxxx" + "..xxxxxx.....xx..........xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + "xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxx..x......xxxx" + "xxxx..xxxxxxxxxxxxxxxxxxx.x...xxxx.x.x.x...xxxxx"; + + /* plays the role of struct dnsprobe in urldata.h */ + struct demo { + unsigned char dohbuffer[512]; + unsigned char canary1; + unsigned char canary2; + unsigned char canary3; + }; + + size_t olen = 100000; + struct demo victim; + DOHcode d; + victim.canary1 = 87; /* magic numbers, arbritrarily picked */ + victim.canary2 = 35; + victim.canary3 = 41; + d = doh_encode(bad, DNS_TYPE_A, victim.dohbuffer, + sizeof(victim.dohbuffer), &olen); + fail_unless(victim.canary1 == 87, "one byte buffer overwrite has happened"); + fail_unless(victim.canary2 == 35, "two byte buffer overwrite has happened"); + fail_unless(victim.canary3 == 41, + "three byte buffer overwrite has happened"); + if(d == DOH_OK) { + fail_unless(olen <= sizeof(victim.dohbuffer), "wrote outside bounds"); + fail_unless(olen > strlen(bad), "unrealistic low size"); + } +} while(0); + +/* run normal cases and try to trigger buffer length related errors */ +do { + DNStype dnstype = DNS_TYPE_A; + unsigned char buffer[128]; + const size_t buflen = sizeof(buffer); + const size_t magic1 = 9765; + size_t olen1 = magic1; + const char *sunshine1 = "a.com"; + const char *sunshine2 = "aa.com"; + size_t olen2; + DOHcode ret2; + size_t olen; + + DOHcode ret = doh_encode(sunshine1, dnstype, buffer, buflen, &olen1); + fail_unless(ret == DOH_OK, "sunshine case 1 should pass fine"); + fail_if(olen1 == magic1, "olen has not been assigned properly"); + fail_unless(olen1 > strlen(sunshine1), "bad out length"); + + /* add one letter, the response should be one longer */ + olen2 = magic1; + ret2 = doh_encode(sunshine2, dnstype, buffer, buflen, &olen2); + fail_unless(ret2 == DOH_OK, "sunshine case 2 should pass fine"); + fail_if(olen2 == magic1, "olen has not been assigned properly"); + fail_unless(olen1 + 1 == olen2, "olen should grow with the hostname"); + + /* pass a short buffer, should fail */ + ret = doh_encode(sunshine1, dnstype, buffer, olen1 - 1, &olen); + fail_if(ret == DOH_OK, "short buffer should have been noticed"); + + /* pass a minimum buffer, should succeed */ + ret = doh_encode(sunshine1, dnstype, buffer, olen1, &olen); + fail_unless(ret == DOH_OK, "minimal length buffer should be long enough"); + fail_unless(olen == olen1, "bad buffer length"); +} while(0); +UNITTEST_STOP |