oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
master
heimdal/kadmin/FUZZING.md
Nicolas Williams 9f5db19378 kadmind: Add fuzz mode and fuzz corpus
2026-01-18 19:06:16 -06:00

1.5 KiB
Raw Permalink Blame History

Fuzzing kadmin

Kadmind includes built-in fuzzing support via the --fuzz-stdin flag, which processes a single RPC message from stdin without requiring network setup or authentication.

Running

Standalone mode

# Process a single corpus file
./kadmind --fuzz-stdin < fuzz/get_existing_test.bin

# With a specific realm
./kadmind -r TEST.H5L.SE --fuzz-stdin < fuzz/create_new.bin

With AFL++

# Build with AFL instrumentation
CC=afl-clang-fast CXX=afl-clang-fast++ \
  ../configure --enable-maintainer-mode --enable-developer
make

# Run fuzzer
afl-fuzz -i kadmin/fuzz -o findings -- ./kadmind --fuzz-stdin

With libFuzzer

To use libFuzzer, create a harness that calls the internal fuzzing entry point:

#include <stdint.h>
extern int kadmind_fuzz_input(const uint8_t *data, size_t size);

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    kadmind_fuzz_input(data, size);
    return 0;
}

Seed Corpus

The fuzz/ directory contains seed inputs covering:

  • All kadm_ops commands (GET, DELETE, CREATE, RENAME, CHPASS, MODIFY, RANDKEY, etc.)
  • Edge cases (invalid commands, truncated data, malformed principals)
  • Overflow tests (large/negative array counts)

See fuzz/README for detailed corpus file descriptions.

Regenerating Corpus

cd fuzz
python3 gen_corpus.py

Message Format

Each corpus file contains a length-prefixed message:

[4-byte big-endian length][message payload]

The payload starts with a 4-byte command number (see kadm_ops enum in lib/kadm5/kadm5-private.h).

Reference in New Issue View Git Blame Copy Permalink