From bcd5f12e4bca2ed2c00cddb5ffd046aef6f4fb31 Mon Sep 17 00:00:00 2001
From: David Garcia Quintas <dgq@google.com>
Date: Wed, 22 Feb 2017 14:32:56 -0800
Subject: [PATCH] Fixed Heap-buffer-overflow in parse_unix via clusterfuzz

---
 src/core/ext/client_channel/parse_address.c   |   3 ++-
 .../chttp2/client/insecure/channel_create.c   |   4 +++-
 .../client/secure/secure_channel_create.c     |   4 +++-
 .../clusterfuzz-testcase-5834320218423296     | Bin 0 -> 298 bytes
 tools/run_tests/generated/tests.json          |  22 ++++++++++++++++++
 5 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5834320218423296

diff --git a/src/core/ext/client_channel/parse_address.c b/src/core/ext/client_channel/parse_address.c
index b1d55ad0f5..fa0125ee9e 100644
--- a/src/core/ext/client_channel/parse_address.c
+++ b/src/core/ext/client_channel/parse_address.c
@@ -49,9 +49,10 @@
 
 int parse_unix(grpc_uri *uri, grpc_resolved_address *resolved_addr) {
   struct sockaddr_un *un = (struct sockaddr_un *)resolved_addr->addr;
+  memset(un, 0, sizeof(*un));
 
   un->sun_family = AF_UNIX;
-  strcpy(un->sun_path, uri->path);
+  strncpy(un->sun_path, uri->path, sizeof(un->sun_path) - 1 /* null term'd */);
   resolved_addr->len = strlen(un->sun_path) + sizeof(un->sun_family) + 1;
 
   return 1;
diff --git a/src/core/ext/transport/chttp2/client/insecure/channel_create.c b/src/core/ext/transport/chttp2/client/insecure/channel_create.c
index 490a0c560e..286232f277 100644
--- a/src/core/ext/transport/chttp2/client/insecure/channel_create.c
+++ b/src/core/ext/transport/chttp2/client/insecure/channel_create.c
@@ -73,7 +73,9 @@ static grpc_channel *client_channel_factory_create_channel(
   arg.type = GRPC_ARG_STRING;
   arg.key = GRPC_ARG_SERVER_URI;
   arg.value.string = grpc_resolver_factory_add_default_prefix_if_needed(target);
-  grpc_channel_args *new_args = grpc_channel_args_copy_and_add(args, &arg, 1);
+  const char *to_remove[] = {GRPC_ARG_SERVER_URI};
+  grpc_channel_args *new_args =
+      grpc_channel_args_copy_and_add_and_remove(args, to_remove, 1, &arg, 1);
   gpr_free(arg.value.string);
   grpc_channel *channel = grpc_channel_create(exec_ctx, target, new_args,
                                               GRPC_CLIENT_CHANNEL, NULL);
diff --git a/src/core/ext/transport/chttp2/client/secure/secure_channel_create.c b/src/core/ext/transport/chttp2/client/secure/secure_channel_create.c
index d8c18eb122..825db68c65 100644
--- a/src/core/ext/transport/chttp2/client/secure/secure_channel_create.c
+++ b/src/core/ext/transport/chttp2/client/secure/secure_channel_create.c
@@ -182,7 +182,9 @@ static grpc_channel *client_channel_factory_create_channel(
   arg.type = GRPC_ARG_STRING;
   arg.key = GRPC_ARG_SERVER_URI;
   arg.value.string = grpc_resolver_factory_add_default_prefix_if_needed(target);
-  grpc_channel_args *new_args = grpc_channel_args_copy_and_add(args, &arg, 1);
+  const char *to_remove[] = {GRPC_ARG_SERVER_URI};
+  grpc_channel_args *new_args =
+      grpc_channel_args_copy_and_add_and_remove(args, to_remove, 1, &arg, 1);
   gpr_free(arg.value.string);
   grpc_channel *channel = grpc_channel_create(exec_ctx, target, new_args,
                                               GRPC_CLIENT_CHANNEL, NULL);
diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5834320218423296 b/test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5834320218423296
new file mode 100644
index 0000000000000000000000000000000000000000..65cc6a2209184c3c42771f9b7f8b19a1eedfff9c
GIT binary patch
literal 298
zcmZQzV&Gx~0}vyzAd}($|NsBxxj-z&^rC`fz2elOvecsZ(xOa;(!9(HE0G$n8W2!N
z03CI8^CT0q#MCr1Q;RgXI7m1#DbXM)%^=yr)W`^@M6!8eN{VT+fq}7+k&&r|^FV-9
VG)JVSsxvS!FbD}T2%P~j7yz5bOLhPN

literal 0
HcmV?d00001

diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json
index 142e5bea4a..7c642ead4d 100644
--- a/tools/run_tests/generated/tests.json
+++ b/tools/run_tests/generated/tests.json
@@ -79681,6 +79681,28 @@
     ], 
     "uses_polling": false
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-5834320218423296"
+    ], 
+    "ci_platforms": [
+      "linux"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [
+      "tsan"
+    ], 
+    "exclude_iomgrs": [
+      "uv"
+    ], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux"
+    ], 
+    "uses_polling": false
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/crash-0597bbdd657fa4ed14443994c9147a1a7bbc205f"
-- 
GitLab