<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Hi!</p>

    <p>I have been playing with oss-fuzz project over one week. I think

      many of them might be invalid, because failures are caused by

      wrong fuzzing. More precisely by incomplete initialization used

      when fuzzing. I have created fix for one [1]. I have attached

      patch, which seems prevents such failures. I am not 100% sure

      resize_packet should never increase udp message to larger packet

      than received. But because it does not have other limit available

      but plen, I used that as a top. I am confident that is correct

      limit of usable buffer in handling tcp response.<br>

    </p>

    <p>But I think <span id="summary_container"><span

          id="short_desc_nonedit_display"><a

            href="https://access.redhat.com/security/cve/CVE-2021-45955">CVE-2021-45955</a>

          might be a valid one. It seems no proper bound is checked on

          pseudo header reinsertion. Patch attached.<br>

        </span></span></p>

    <p><span id="summary_container"><span

          id="short_desc_nonedit_display">My attempts to build fuzzers

          with debuggable code were partially successful. I have pushed

          the code I use for started fuzzing at oss-fuzz branch [2]. I

          just source fuzz/env-rpm.sh, then fuzz/build.sh to create

          fuzzers.<br>

        </span></span></p>

    <p><span id="summary_container"><span

          id="short_desc_nonedit_display">It seems all functions

          crashing in extract_name are invalid, because too small buffer

          is used in fuzzer. And it correctly detects it would write

          behind allocated space. I haven't met them after [1] were

          applied.<br>

        </span></span></p>

    <p><span id="summary_container"><span

          id="short_desc_nonedit_display">Should I create better

          integration to dnsmasq upstream project? It seems to be

          interesting way of checking possible inputs to dnsmasq. Has

          anyone other been successful in fuzzing something themselves?

          Have you been able to validate details using reproducers?<br>

        </span></span></p>

    <p><span id="summary_container"><span

          id="short_desc_nonedit_display">Cheers,<br>

          Petr<br>

        </span></span></p>

    <p>1. <a class="moz-txt-link-freetext" href="https://github.com/google/oss-fuzz/pull/7293">https://github.com/google/oss-fuzz/pull/7293</a><br>

      2.

      <a class="moz-txt-link-freetext" href="https://github.com/InfrastructureServices/dnsmasq/tree/oss-fuzz/fuzz">https://github.com/InfrastructureServices/dnsmasq/tree/oss-fuzz/fuzz</a><br>

    </p>

    <div class="moz-cite-prefix">On 2/14/22 23:32, Hauke Mehrtens wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:f3f38af6-8c3c-a2bd-051f-ad4f249076a1@hauke-m.de">Hi,

      <br>

      <br>

      Our CVE checking scripts in OpenWrt found the following recently

      opened CVEs against dnsmasq:

      <br>

      <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-45951">https://nvd.nist.gov/vuln/detail/CVE-2021-45951</a>

      <br>

      <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-45952">https://nvd.nist.gov/vuln/detail/CVE-2021-45952</a>

      <br>

      <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-45953">https://nvd.nist.gov/vuln/detail/CVE-2021-45953</a>

      <br>

      <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-45954">https://nvd.nist.gov/vuln/detail/CVE-2021-45954</a>

      <br>

      <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-45955">https://nvd.nist.gov/vuln/detail/CVE-2021-45955</a>

      <br>

      <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-45956">https://nvd.nist.gov/vuln/detail/CVE-2021-45956</a>

      <br>

      <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-45957">https://nvd.nist.gov/vuln/detail/CVE-2021-45957</a>

      <br>

      <br>

      We think these CVE reports are wrong and should get rejected.

      <br>

    </blockquote>

    Not all of them. How were they validated? How do you know they are

    wrong? Have you reproduced and debugged them?<br>

    <blockquote type="cite"

      cite="mid:f3f38af6-8c3c-a2bd-051f-ad4f249076a1@hauke-m.de">

      <br>

      Hauke<br>

    </blockquote>

    <pre class="moz-signature" cols="72">-- 

Petr Menšík

Software Engineer

Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>

email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>

PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>

  </body>

</html>