[c-ares] Add c_ares_ares_create_query_fuzzer, verified with CVE-2016-5180.

targets/c-ares/Dockerfile

@@ -0,0 +1,21 @@
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM ossfuzz/base-libfuzzer
+MAINTAINER mmoroz@chromium.org
+RUN apt-get install -y make autoconf automake libtool
+RUN git clone https://github.com/c-ares/c-ares.git
+COPY build.sh *_fuzzer.cc /src/

targets/c-ares/Jenkinsfile

@@ -0,0 +1,22 @@
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+def libfuzzerBuild = fileLoader.fromGit('infra/libfuzzer-pipeline.groovy',
+                                        'https://github.com/google/oss-fuzz.git')
+
+libfuzzerBuild {
+  git = "https://github.com/c-ares/c-ares.git"
+}

targets/c-ares/build.sh

@@ -0,0 +1,32 @@
+#!/bin/bash -eu
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+cd /src/c-ares
+
+export LDFLAGS="$FUZZER_LDFLAGS"
+
+# Build the target.
+./buildconf
+./configure
+make clean
+make -j$(nproc) all
+
+# Build the fuzzer.
+$CXX $CXXFLAGS -std=c++11 -I. \
+    /src/c_ares_ares_create_query_fuzzer.cc \
+    -o /out/c_ares_ares_create_query_fuzzer \
+    -lfuzzer /src/c-ares/.libs//libcares.a $FUZZER_LDFLAGS

targets/c-ares/c_ares_ares_create_query_fuzzer.cc

@@ -0,0 +1,31 @@
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include <arpa/nameser.h>
+
+#include <string>
+
+#include <ares.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  unsigned char *buf;
+  int buflen;
+  std::string s(reinterpret_cast<const char *>(data), size);
+  ares_create_query(s.c_str(), ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0);
+  ares_free_string(buf);
+  return 0;
+}