Oss-fuzz reproduction steps
Samba is integrated with oss-fuzz. To obtain access to the fuzzing results you must be a member of the Samba team and listed in the oss-fuzz project.yml file. The fuzzing results are on the oss-fuzz ClusterFuzz web interface. See the oss-fuzz new project guide on reviewing results for more details.
If the failure is in a tool named fuzz_ndr_* then it is possible to translate this failure into an ndrdump command. The $PIPE below is eg drsuapi from fuzz_ndr_drsuapi_TYPE_OUT, the $FILE is the file provided by oss-fuzz.
lib/fuzzing/decode_ndr_X_crash -p $PIPE $FILE
This may allow the failure to be debugged without needing a recompile to a fuzzing build and makes it easy to incorporate into the testsuite.
Other fuzzers (or where ndrdump does not reproduce)
For other fuzzers, build Samba for fuzzing. See lib/fuzzing/README.md for instructions on how to build Samba for fuzzing.
If neither AFL or hongfuzz is available locally, you can still build using --enable-afl and this will produce a normal binary.
Either way, the result of these builds are a series of fuzz_ binaries in bin/ that will take the failing input in stdin.
Developing new fuzzers
Please do help develop new fuzzers! The Samba Team can collaborate with you in private in the early stages if your work is finding security-releavent issues easily before we merge the fuzzer for running by the public and on oss-fuzz.
See this example of how to add a new fuzz target.
Fixing fuzzing bugs
Determine security impact
If there is security impact from the fuzzing result, please follow the Samba Security Process
Add test cases
Remember to add a testcase to the appropriate part of samba if possible when fixing the bug.
ndrdump reproducable failures
Currently failures that can be reproduced with ndrdump are being added to python/samba/tests/blackbox/ndrdump.py
Please find an appropriate part of the existing testsuite to extend, and build a framework if needed. This may see excessive, but where one bug is found, others will follow and it makes it easier in the long run.
Make sure to credit the tool, fuzz target and ideally the fuzz target author (particularly for novel or important findings). For issues found by OSS-Fuzz they ask to for
Credit to OSS-Fuzz
to be in the commit message.