diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2023-09-15 20:30:30 +0200 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-09-16 11:26:11 +0200 |
| commit | 70814002a98ec52deda2ff61ac03613916c3efeb (patch) | |
| tree | 05464457bdc5d5a3ab43befdefff7894ba2cd8ed | |
| parent | 0828dff3acae6e06e6ac1d284ecb2c19ad83d27d (diff) | |
fuzz: extend fuzzing coverage
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | fuzz/Makefile.am | 18 | ||||
| -rw-r--r-- | fuzz/fuzz_binaryfusefilter.cpp | 63 | ||||
| -rw-r--r-- | fuzz/fuzz_ds_domain_classify.cpp | 5 | ||||
| -rw-r--r-- | fuzz/random_list.list | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_domain_classify.c | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 26 | ||||
| -rw-r--r-- | src/lib/third_party/include/binaryfusefilter.h | 2 | ||||
| -rw-r--r-- | tests/ossfuzz.sh | 1 |
9 files changed, 107 insertions, 18 deletions
diff --git a/.gitignore b/.gitignore index c1e896636..732142831 100644 --- a/.gitignore +++ b/.gitignore @@ -73,6 +73,7 @@ /fuzz/fuzz_ds_bitmap64 /fuzz/fuzz_ds_domain_classify /fuzz/fuzz_libinjection +/fuzz/fuzz_binaryfusefilter /fuzz/fuzz_tls_certificate /fuzz/fuzz_dga /fuzz/fuzz_ds_cmsketch diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 9764f58ac..3903c85cd 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -4,7 +4,7 @@ bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_ #Data structures bin_PROGRAMS += fuzz_ds_patricia fuzz_ds_ahocorasick fuzz_ds_libcache fuzz_ds_tree fuzz_ds_ptree fuzz_ds_hash fuzz_ds_cmsketch fuzz_ds_bitmap64 fuzz_ds_domain_classify #Third party -bin_PROGRAMS += fuzz_libinjection +bin_PROGRAMS += fuzz_libinjection fuzz_binaryfusefilter #Internal crypto bin_PROGRAMS += fuzz_gcrypt_light #Configuration files @@ -371,6 +371,21 @@ fuzz_libinjection_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ $(fuzz_libinjection_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ +fuzz_binaryfusefilter_SOURCES = fuzz_binaryfusefilter.cpp fuzz_common_code.c +fuzz_binaryfusefilter_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) +fuzz_binaryfusefilter_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) +fuzz_binaryfusefilter_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) +fuzz_binaryfusefilter_LDFLAGS = $(LIBS) +if HAS_FUZZLDFLAGS +fuzz_binaryfusefilter_CXXFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_binaryfusefilter_CFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_binaryfusefilter_LDFLAGS += $(LIB_FUZZING_ENGINE) +endif +# force usage of CXX for linker +fuzz_binaryfusefilter_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ + $(fuzz_binaryfusefilter_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ + fuzz_tls_certificate_SOURCES = fuzz_tls_certificate.c fuzz_common_code.c fuzz_tls_certificate_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) fuzz_tls_certificate_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) @@ -584,6 +599,7 @@ distdir: -o -name 'ipv4_addresses.txt' \ -o -name 'bd_param.txt' \ -o -name 'splt_param.txt' \ + -o -name 'random_list.list' \ -o -path './dictionary.dict' \ -o -path './dictionary_tls_certificate.dict' \ -o -path './corpus/fuzz_*.zip' \ diff --git a/fuzz/fuzz_binaryfusefilter.cpp b/fuzz/fuzz_binaryfusefilter.cpp new file mode 100644 index 000000000..e891127c1 --- /dev/null +++ b/fuzz/fuzz_binaryfusefilter.cpp @@ -0,0 +1,63 @@ +#include "fuzz_common_code.h" +#include "../src/lib/third_party/include/binaryfusefilter.h" +#include "fuzzer/FuzzedDataProvider.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fuzzed_data(data, size); + u_int16_t i, num_iteration; + bool rc; + u_int64_t *values, value; + binary_fuse8_t filter8; + binary_fuse16_t filter16; + + /* To allow memory allocation failures */ + fuzz_set_alloc_callbacks_and_seed(size); + + size = fuzzed_data.ConsumeIntegral<u_int16_t>(); + values = (u_int64_t *)ndpi_calloc(size, sizeof(u_int64_t)); + if (!values) + return 0; + for (i = 0; i < size; i++) { + values[i] = fuzzed_data.ConsumeIntegral<u_int64_t>(); + } + + rc = binary_fuse8_allocate(size, &filter8); + if (rc) { + rc = binary_fuse8_populate(values, size, &filter8); + + if (rc) { + /* "Random" search */ + num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>(); + for (i = 0; i < num_iteration; i++) { + value = fuzzed_data.ConsumeIntegral<u_int64_t>(); + binary_fuse8_contain(value, &filter8); + } + /* Search of an added entry */ + if (size > 0) + binary_fuse8_contain(values[0], &filter8); + } + binary_fuse8_free(&filter8); + } + + rc = binary_fuse16_allocate(size, &filter16); + if (rc) { + rc = binary_fuse16_populate(values, size, &filter16); + + if (rc) { + /* "Random" search */ + num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>(); + for (i = 0; i < num_iteration; i++) { + value = fuzzed_data.ConsumeIntegral<u_int64_t>(); + binary_fuse16_contain(value, &filter16); + } + /* Search of an added entry */ + if (size > 0) + binary_fuse16_contain(values[0], &filter16); + } + binary_fuse16_free(&filter16); + } + + ndpi_free(values); + + return 0; +} diff --git a/fuzz/fuzz_ds_domain_classify.cpp b/fuzz/fuzz_ds_domain_classify.cpp index afd43a796..9a945deff 100644 --- a/fuzz/fuzz_ds_domain_classify.cpp +++ b/fuzz/fuzz_ds_domain_classify.cpp @@ -33,6 +33,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } } + ndpi_domain_classify_add_domains(d, NDPI_PROTOCOL_UNKNOWN, "random_list.list"); + + if (fuzzed_data.ConsumeBool()) + ndpi_domain_classify_finalize(d); + /* "Random" search */ num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>(); for (i = 0; i < num_iteration; i++) { diff --git a/fuzz/random_list.list b/fuzz/random_list.list new file mode 100644 index 000000000..af4f1c0a5 --- /dev/null +++ b/fuzz/random_list.list @@ -0,0 +1,6 @@ +# +# Custom random list +# +aa1084bets10.com + +q diff --git a/src/lib/ndpi_domain_classify.c b/src/lib/ndpi_domain_classify.c index c475c46f9..a289f2c41 100644 --- a/src/lib/ndpi_domain_classify.c +++ b/src/lib/ndpi_domain_classify.c @@ -130,6 +130,9 @@ u_int32_t ndpi_domain_classify_add_domains(ndpi_domain_classify *s, FILE *fd; char *line; + if(!s || !file_path) + return(false); + for(i=0; i<MAX_NUM_NDPI_DOMAIN_CLASSIFICATIONS; i++) { if(s->classes[i].class_id == class_id) { break; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6cbbcf252..17d1cd36c 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -122,8 +122,6 @@ #include "nbpf.h" #endif -static int _ndpi_debug_callbacks = 0; - /* #define DGA_DEBUG 1 */ /* #define MATCH_DEBUG 1 */ @@ -5307,11 +5305,10 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_tcp_payload(ndpi_str,a)) continue; if(!count_only) { - if(_ndpi_debug_callbacks) - NDPI_LOG_DBG2(ndpi_str, "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a, - ndpi_str->callback_buffer_size_tcp_payload); - memcpy(&ndpi_str->callback_buffer_tcp_payload[ndpi_str->callback_buffer_size_tcp_payload], - &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); + NDPI_LOG_DBG2(ndpi_str, "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a, + ndpi_str->callback_buffer_size_tcp_payload); + memcpy(&ndpi_str->callback_buffer_tcp_payload[ndpi_str->callback_buffer_size_tcp_payload], + &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); } ndpi_str->callback_buffer_size_tcp_payload++; } @@ -5319,11 +5316,10 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_tcp_nopayload(ndpi_str,a)) continue; if(!count_only) { - if(_ndpi_debug_callbacks) - NDPI_LOG_DBG2( ndpi_str, - "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a); - memcpy(&ndpi_str->callback_buffer_tcp_no_payload[ndpi_str->callback_buffer_size_tcp_no_payload], - &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); + NDPI_LOG_DBG2(ndpi_str, + "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a); + memcpy(&ndpi_str->callback_buffer_tcp_no_payload[ndpi_str->callback_buffer_size_tcp_no_payload], + &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); } ndpi_str->callback_buffer_size_tcp_no_payload++; } @@ -5333,8 +5329,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_udp(ndpi_str,a)) continue; if(!count_only) { - if(_ndpi_debug_callbacks) - NDPI_LOG_DBG2(ndpi_str, "callback_buffer_size_udp: adding buffer : %u\n", a); + NDPI_LOG_DBG2(ndpi_str, "callback_buffer_size_udp: adding buffer : %u\n", a); memcpy(&ndpi_str->callback_buffer_udp[ndpi_str->callback_buffer_size_udp], &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); @@ -5347,8 +5342,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_other(ndpi_str,a)) continue; if(!count_only) { - if(_ndpi_debug_callbacks) - NDPI_LOG_DBG2(ndpi_str, "callback_buffer_non_tcp_udp: adding buffer : %u\n", a); + NDPI_LOG_DBG2(ndpi_str, "callback_buffer_non_tcp_udp: adding buffer : %u\n", a); memcpy(&ndpi_str->callback_buffer_non_tcp_udp[ndpi_str->callback_buffer_size_non_tcp_udp], &ndpi_str->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); diff --git a/src/lib/third_party/include/binaryfusefilter.h b/src/lib/third_party/include/binaryfusefilter.h index 6e2498baa..8326eb034 100644 --- a/src/lib/third_party/include/binaryfusefilter.h +++ b/src/lib/third_party/include/binaryfusefilter.h @@ -216,7 +216,7 @@ static inline bool binary_fuse8_allocate(uint32_t size, filter->SegmentLength = 262144; } filter->SegmentLengthMask = filter->SegmentLength - 1; - double sizeFactor = binary_fuse_calculate_size_factor(arity, size); + double sizeFactor = size <= 1 ? 0 : binary_fuse_calculate_size_factor(arity, size); uint32_t capacity = size <= 1 ? 0 : (uint32_t)(round((double)size * sizeFactor)); uint32_t initSegmentCount = (capacity + filter->SegmentLength - 1) / filter->SegmentLength - diff --git a/tests/ossfuzz.sh b/tests/ossfuzz.sh index 5d7f759f4..365751b3b 100644 --- a/tests/ossfuzz.sh +++ b/tests/ossfuzz.sh @@ -60,5 +60,6 @@ cp example/sha1_fingerprints.csv $OUT/ cp fuzz/ipv4_addresses.txt $OUT/ cp fuzz/bd_param.txt $OUT/ cp fuzz/splt_param.txt $OUT/ +cp fuzz/random_list.list $OUT/ mkdir -p $OUT/lists cp lists/*.list $OUT/lists |