fuzz: defend against read(fd, NULL, size) and read(-1, buf, size)

Under Linux the read call seems to accept NULL as a parameter: $ cat try.c #include <unistd.h> #include <err.h> int main(void) { int i = read(0, NULL, 4); err(1, "read"); return 0; } $ make try cc try.c -o try $ ./try </dev/random try: read: Bad address Such behaviour is not specified by POSIX, so we should catch it. Since we are at it, catching read(-1, ...) is probably a good idea, since code that does that is arguably wrong.
Yubico · Dec 17, 2024 · 5df0186 · 5df0186
1 parent e86db10
commit 5df0186
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/fuzz/wrap.c b/fuzz/wrap.c
@@ -65,7 +65,6 @@ WRAP(int, gethostname, (char *name, size_t len), -1, (name, len))
 WRAP(ssize_t, getline, (char **s, size_t *n, FILE *fp), -1, (s, n, fp))
 WRAP(FILE *, fdopen, (int fd, const char *mode), NULL, (fd, mode))
 WRAP(int, fstat, (int fd, struct stat *st), -1, (fd, st))
-WRAP(ssize_t, read, (int fd, void *buf, size_t count), -1, (fd, buf, count))
 WRAP(BIO *, BIO_new, (const BIO_METHOD *type), NULL, (type))
 WRAP(int, BIO_write, (BIO * b, const void *data, int len), -1, (b, data, len))
 WRAP(int, BIO_read, (BIO * b, void *data, int len), -1, (b, data, len))
@@ -75,6 +74,14 @@ WRAP(BIO *, BIO_new_mem_buf, (const void *buf, int len), NULL, (buf, len))
 WRAP(EC_KEY *, EC_KEY_new_by_curve_name, (int nid), NULL, (nid))
 WRAP(const EC_GROUP *, EC_KEY_get0_group, (const EC_KEY *key), NULL, (key))
 
+extern ssize_t __real_read(int fildes, void *buf, size_t nbyte);
+extern ssize_t __wrap_read(int fildes, void *buf, size_t nbyte);
+extern ssize_t __wrap_read(int fildes, void *buf, size_t nbyte) {
+  assert(fildes != -1);
+  assert(buf != NULL);
+  return __real_read(fildes, buf, nbyte);
+}
+
 extern int __wrap_asprintf(char **strp, const char *fmt, ...);
 extern int __wrap_asprintf(char **strp, const char *fmt, ...) {
   va_list ap;