diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-02-09 20:02:12 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-09 20:02:12 +0100 |
| commit | b51a2ac72a3cbd1b470890d0151a46da28e6754e (patch) | |
| tree | 694a86ec7690962b21fb2c1bcf12df9f842d5957 /fuzz/fuzz_alg_hll.cpp | |
| parent | 4bb851384efb2a321def0bdb5e93786fac1cc02b (diff) | |
fuzz: some improvements and add two new fuzzers (#1881)
Remove `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` define from
`fuzz/Makefile.am`; it is already included by the main configure script
(when fuzzing).
Add a knob to force disabling of AESNI optimizations: this way we can
fuzz also no-aesni crypto code.
Move CRC32 algorithm into the library.
Add some fake traces to extend fuzzing coverage. Note that these traces
are hand-made (via scapy/curl) and must not be used as "proof" that the
dissectors are really able to identify this kind of traffic.
Some small updates to some dissectors:
CSGO: remove a wrong rule (never triggered, BTW). Any UDP packet starting
with "VS01" will be classified as STEAM (see steam.c around line 111).
Googling it, it seems right so.
XBOX: XBOX only analyses UDP flows while HTTP only TCP ones; therefore
that condition is false.
RTP, STUN: removed useless "break"s
Zattoo: `flow->zattoo_stage` is never set to any values greater or equal
to 5, so these checks are never true.
PPStream: `flow->l4.udp.ppstream_stage` is never read. Delete it.
TeamSpeak: we check for `flow->packet_counter == 3` just above, so the
following check `flow->packet_counter >= 3` is always false.
Diffstat (limited to 'fuzz/fuzz_alg_hll.cpp')
| -rw-r--r-- | fuzz/fuzz_alg_hll.cpp | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/fuzz/fuzz_alg_hll.cpp b/fuzz/fuzz_alg_hll.cpp index 617968dfd..99603ce19 100644 --- a/fuzz/fuzz_alg_hll.cpp +++ b/fuzz/fuzz_alg_hll.cpp @@ -8,7 +8,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FuzzedDataProvider fuzzed_data(data, size); u_int16_t i, num_iteration; - struct ndpi_hll hll; + struct ndpi_hll *hll; + int rc; /* Just to have some data */ if(fuzzed_data.remaining_bytes() < 2048) @@ -17,25 +18,31 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* To allow memory allocation failures */ fuzz_set_alloc_callbacks_and_seed(size); - ndpi_hll_init(&hll, fuzzed_data.ConsumeIntegral<u_int16_t>()); + hll = (struct ndpi_hll *)ndpi_malloc(sizeof(*hll)); - num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>(); - for (i = 0; i < num_iteration; i++) - ndpi_hll_add_number(&hll, fuzzed_data.ConsumeIntegral<u_int32_t>()); + rc = ndpi_hll_init(hll, fuzzed_data.ConsumeIntegral<u_int8_t>()); - ndpi_hll_count(&hll); + if (rc == 0) { + num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>(); + for (i = 0; i < num_iteration; i++) + ndpi_hll_add_number(hll, fuzzed_data.ConsumeIntegral<u_int32_t>()); - ndpi_hll_reset(&hll); + ndpi_hll_count(hll); - num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>(); - for (i = 0; i < num_iteration; i++) { - std::vector<int8_t>data = fuzzed_data.ConsumeBytes<int8_t>(fuzzed_data.ConsumeIntegral<u_int8_t>()); - ndpi_hll_add(&hll, (char *)data.data(), data.size()); - } + ndpi_hll_reset(hll); + + num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>(); + for (i = 0; i < num_iteration; i++) { + std::vector<int8_t>data = fuzzed_data.ConsumeBytes<int8_t>(fuzzed_data.ConsumeIntegral<u_int8_t>()); + ndpi_hll_add(hll, (char *)data.data(), data.size()); + } - ndpi_hll_count(&hll); + ndpi_hll_count(hll); + + ndpi_hll_destroy(hll); + } - ndpi_hll_destroy(&hll); + ndpi_free(hll); return 0; } |