fuzz: DHCP header parser

Author: Alexandra Sandulescu

fuzz/Cargo.toml

@@ -28,3 +28,9 @@ name = "tcp_headers"
 path = "fuzz_targets/tcp_headers.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "dhcp_header"
+path = "fuzz_targets/dhcp_header.rs"
+test = false
+doc = false

fuzz/fuzz_targets/dhcp_header.rs

@@ -0,0 +1,19 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use smoltcp::wire::{DhcpPacket, DhcpRepr};
+
+fuzz_target!(|data: &[u8]| {
+    let _ = match DhcpPacket::new_checked(data) {
+        Ok(ref packet) => match DhcpRepr::parse(packet) {
+            Ok(dhcp_repr) => {
+                let mut dhcp_payload = vec![0; dhcp_repr.buffer_len()];
+                match DhcpPacket::new_checked(&mut dhcp_payload[..]) {
+                    Ok(mut dhcp_packet) => Some(dhcp_repr.emit(&mut dhcp_packet)),
+                    Err(_) => None,
+                }
+            }
+            Err(_) => None,
+        },
+        Err(_) => None,
+    };
+});

src/wire/dhcpv4.rs

@@ -824,7 +824,11 @@ impl<'a> Repr<'a> {
                     data,
                 } => {
                     let mut servers = [None; MAX_DNS_SERVER_COUNT];
-                    for (server, chunk) in servers.iter_mut().zip(data.chunks(4)) {
+                    let chunk_size = 4;
+                    for (server, chunk) in servers.iter_mut().zip(data.chunks(chunk_size)) {
+                        if chunk.len() != chunk_size {
+                            return Err(Error::Malformed);
+                        }
                         *server = Some(Ipv4Address::from_bytes(chunk));
                     }
                     dns_servers = Some(servers);