oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
40317659b00aefc8abaeb2c80f983b391f1f432c
heimdal/kadmin/FUZZING.md
Nicolas Williams 9f5db19378 kadmind: Add fuzz mode and fuzz corpus
2026-01-18 19:06:16 -06:00

72 lines
1.5 KiB
Markdown
Raw Blame History

# Fuzzing kadmin
Kadmind includes built-in fuzzing support via the `--fuzz-stdin` flag, which
processes a single RPC message from stdin without requiring network setup or
authentication.
## Running
### Standalone mode
```bash
# Process a single corpus file
./kadmind --fuzz-stdin < fuzz/get_existing_test.bin
# With a specific realm
./kadmind -r TEST.H5L.SE --fuzz-stdin < fuzz/create_new.bin
```
### With AFL++
```bash
# Build with AFL instrumentation
CC=afl-clang-fast CXX=afl-clang-fast++ \
../configure --enable-maintainer-mode --enable-developer
make
# Run fuzzer
afl-fuzz -i kadmin/fuzz -o findings -- ./kadmind --fuzz-stdin
```
### With libFuzzer
To use libFuzzer, create a harness that calls the internal fuzzing entry point:
```c
#include <stdint.h>
extern int kadmind_fuzz_input(const uint8_t *data, size_t size);
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
kadmind_fuzz_input(data, size);
return 0;
}
```
## Seed Corpus
The `fuzz/` directory contains seed inputs covering:
- All kadm_ops commands (GET, DELETE, CREATE, RENAME, CHPASS, MODIFY, RANDKEY, etc.)
- Edge cases (invalid commands, truncated data, malformed principals)
- Overflow tests (large/negative array counts)
See `fuzz/README` for detailed corpus file descriptions.
## Regenerating Corpus
```bash
cd fuzz
python3 gen_corpus.py
```
## Message Format
Each corpus file contains a length-prefixed message:
```
[4-byte big-endian length][message payload]
```
The payload starts with a 4-byte command number (see `kadm_ops` enum in
`lib/kadm5/kadm5-private.h`).
Reference in New Issue View Git Blame Copy Permalink