tests: Check for ftp integer overflow crash bug

* cfg.mk (exclude_file_name_regexp--sc_trailing_blank) (exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF): Change pattern to match both binary fuzzer found input files used in tests. * tests/Makefile.am (EXTRA_DIST): Add new binary fuzzer found input. * tests/crash-ftp-msg2021-12_03.bin: New file. Input found via fuzzer that crashes ftp via signed integer overflow and resulting out-of-bounds array access. Reported by AiDai in <https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00003.html>. * tests/ftp-regressions.sh: New file. Currently failing checks for regression of upcoming fix for bug reported by AiDai in <https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00003.html>.
2026-01-12 00:19:39 +08:00 · 2022-09-25 12:49:24 +02:00
parent d44e49c99f
commit a21aa6555c
4 changed files with 93 additions and 4 deletions
--- a/cfg.mk
+++ b/cfg.mk
@@ -64,10 +64,10 @@ exclude_file_name_regexp--sc_obsolete_symbols = \
 	^tests/identify.c$$

 exclude_file_name_regexp--sc_trailing_blank = \
-	^(tests/crash-tftp-msg2021-12_18.bin|gl/top/README-release.diff)$$
+	^(tests/crash-.*-msg.*.bin|gl/top/README-release.diff)$$

 exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
-	^tests/crash-tftp-msg2021-12_18.bin$$
+	^tests/crash-.*-msg.*.bin$$

 sc_unsigned_char:
 	@prohibit=u''_char \
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -20,7 +20,8 @@ AM_CPPFLAGS = $(iu_INCLUDES)

 LDADD = $(iu_LIBRARIES)

-EXTRA_DIST = tools.sh.in ifconfig_modes.sh crash-tftp-msg2021-12_18.bin
+EXTRA_DIST = tools.sh.in ifconfig_modes.sh crash-tftp-msg2021-12_18.bin \
+	crash-ftp-msg2021-12_03.bin

 noinst_PROGRAMS = identify
 identify_LDADD = $(top_builddir)/lib/libgnu.a $(LIBUTIL) $(PTY_LIB)
@@ -62,7 +63,7 @@ endif
 endif

 if ENABLE_ftp
-dist_check_SCRIPTS += ftp-parser.sh
+dist_check_SCRIPTS += ftp-parser.sh ftp-regressions.sh
 endif

 if ENABLE_inetd
--- a/tests/crash-ftp-msg2021-12_03.bin
+++ b/tests/crash-ftp-msg2021-12_03.bin
--- a/tests/ftp-regressions.sh
+++ b/tests/ftp-regressions.sh
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+# Copyright (C) 2022 Free Software Foundation, Inc.
+#
+# This file is part of GNU Inetutils.
+#
+# GNU Inetutils is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at
+# your option) any later version.
+#
+# GNU Inetutils is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see `http://www.gnu.org/licenses/'.
+
+# Regression tests for the FTP client "ftp".
+
+# Set tool variables (e.g., SED).
+. ./tools.sh
+
+# Handle VERBOSE environment variable.
+if test -z "${VERBOSE+set}"; then
+    silence=:
+    bucket='>/dev/null'
+fi
+if test -n "$VERBOSE"; then
+    set -x
+fi
+
+# This script tests and thus requires the FTP client
+FTP="${FTP:-../ftp/ftp$EXEEXT}"
+if [ ! -x $FTP ]; then
+    echo "No FTP client '$FTP' present.  Skipping test" >&2
+    exit 77
+fi
+
+# Print version of FTP client in VERBOSE mode.
+if [ "$VERBOSE" ]; then
+    "$FTP" --version | $SED '1q'
+fi
+
+# Initialize test statistics.
+SUCCESSES=0
+EFFORTS=0
+RESULT=0
+
+# Check regression of crash reported in:
+# https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00003.html
+# This bug is caused by signed integer overflow and insufficient bounds
+# checking when using this integer for indexing into an array.
+# First, use the original reproducer from the problem report.
+EFFORTS=`expr $EFFORTS + 1`
+$silence echo 'Checking ftp crash bug from message 2021-12/03...' >&2
+"$FTP" < "$srcdir"/crash-ftp-msg2021-12_03.bin >/dev/null 2>&1
+if test $? -ne 0; then
+    $silence echo 'Regression of ftp crash bug from message 2021-12/03.' >&2
+    RESULT=1
+else
+    SUCCESSES=`expr $SUCCESSES + 1`
+    $silence echo 'Input from message 2021-12/03 did not crash ftp.' >&2
+fi
+# Second, use a simple reproducer for systems with 32 bit integers.
+EFFORTS=`expr $EFFORTS + 1`
+$silence echo 'Checking ftp crash bug from 32 bit integer overflow...' >&2
+tell='macdef x
+$2147483648
+
+$ x'
+echo "$tell" | "$FTP" >/dev/null 2>&1
+if test $? -ne 0; then
+    $silence echo 'Regression of 32 bit integer overflow crash bug in ftp.' >&2
+    RESULT=1
+else
+    SUCCESSES=`expr $SUCCESSES + 1`
+    $silence echo '32 bit integer overflow did not crash ftp.' >&2
+fi
+
+# Print test statistics.
+$silence echo
+test "$RESULT" -eq 0 && test "$SUCCESSES" -eq "$EFFORTS" && $silence false \
+    || echo "Test had $SUCCESSES successes out of $EFFORTS cases".
+
+# Report test result.
+exit $RESULT