Bug in message.c:673: ENSURE(isc_mempool_getallocated(msg->namepool) == 0) failed
Summary
message.c:673: ENSURE(isc_mempool_getallocated(msg->namepool) == 0) failed, back trace
test@test:~/bind9/collect$ ./dns_message_parse_fuzzer id\:000000\,sig\:06\,src\:002736+001626\,time\:192782276\,op\:splice\,rep\:128
INFO: Seed: 1666455395
INFO: Loaded 1 modules (61310 inline 8-bit counters): 61310 [0x100d2b0, 0x101c22e),
INFO: Loaded 1 PC tables (61310 PCs): 61310 [0x101c230,0x110ba10),
./dns_message_parse_fuzzer: Running 1 inputs 1 time(s) each.
Running: id:000000,sig:06,src:002736+001626,time:192782276,op:splice,rep:128
message.c:673: ENSURE(isc_mempool_getallocated(msg->namepool) == 0) failed, back trace
./dns_message_parse_fuzzer() [0xab474a]
./dns_message_parse_fuzzer() [0xab43d0]
./dns_message_parse_fuzzer() [0xab422a]
./dns_message_parse_fuzzer() [0x566c5f]
./dns_message_parse_fuzzer() [0x566da7]
./dns_message_parse_fuzzer() [0x551bc4]
./dns_message_parse_fuzzer() [0x550f98]
./dns_message_parse_fuzzer() [0x45a0c2]
./dns_message_parse_fuzzer() [0x445843]
./dns_message_parse_fuzzer() [0x44b89f]
./dns_message_parse_fuzzer() [0x473213]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f0090f5eb97]
./dns_message_parse_fuzzer() [0x41fed9]
==23768== ERROR: libFuzzer: deadly signal
#0 0x527611 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
#1 0x472a38 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x458b63 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:232:3
#3 0x7f009196489f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1289f)
#4 0x7f0090f7bf46 in __libc_signal_restore_set /build/glibc-2ORdQG/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80
#5 0x7f0090f7bf46 in gsignal /build/glibc-2ORdQG/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:48
#6 0x7f0090f7d8b0 in abort /build/glibc-2ORdQG/glibc-2.27/stdlib/abort.c:79
#7 0xab4233 in isc_assertion_failed /src/bind9/lib/isc/assertions.c:47:2
#8 0x566c5e in msgreset /src/bind9/lib/dns/message.c:673:2
#9 0x566da6 in dns_message_destroy /src/bind9/lib/dns/message.c:801:2
#10 0x551bc3 in render_message /src/bind9/fuzz/dns_message_parse.c:131:2
#11 0x550f97 in LLVMFuzzerTestOneInput /src/bind9/fuzz/dns_message_parse.c:162:11
#12 0x45a0c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
#13 0x445842 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#14 0x44b89e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:796:9
#15 0x473212 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#16 0x7f0090f5eb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#17 0x41fed8 in _start (/home/test/bind9/collect/dns_message_parse_fuzzer+0x41fed8)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signalBIND version used
master-git
Steps to reproduce
./fuzzer POC bind9.zip
What is the current bug behavior?
crash
Relevant logs and/or screenshots
File in zip
Possible fixes
(If you can, link to the line of code that might be responsible for the problem.)