fuzz: extend fuzzing coverage (#2281)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-01-24 21:16:58 +0100
committer: GitHub <noreply@github.com> 2024-01-24 21:16:58 +0100
commit: d577508727226d44a713f1af38b08769546edd2a (patch)
tree: b04fe77e9665778b1737099c815dd0ebba12777a /fuzz/fuzz_config.cpp
parent: 7a83a8dc9122a730a74e5ac644413ae87f94e563 (diff)
1 files changed, 66 insertions, 8 deletions
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
index b85f3752f..f99b87358 100644
--- a/fuzz/fuzz_config.cpp
+++ b/fuzz/fuzz_config.cpp
@@ -32,6 +32,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   char cfg_value[32];
   char cfg_proto[32];
   char cfg_param[32];
+  u_int64_t cat_userdata = 0;
 
 
   /* Just to be sure to have some data */
@@ -65,16 +66,32 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   if(fuzzed_data.ConsumeBool())
     ndpi_load_protocols_file(ndpi_info_mod, "protos.txt");
   if(fuzzed_data.ConsumeBool())
-    ndpi_load_categories_file(ndpi_info_mod, "categories.txt", NULL);
+    ndpi_load_protocols_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */
+  if(fuzzed_data.ConsumeBool())
+    ndpi_load_categories_file(ndpi_info_mod, "categories.txt", &cat_userdata);
+  if(fuzzed_data.ConsumeBool())
+    ndpi_load_categories_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename", &cat_userdata); /* Error */
   if(fuzzed_data.ConsumeBool())
     ndpi_load_risk_domain_file(ndpi_info_mod, "risky_domains.txt");
   if(fuzzed_data.ConsumeBool())
+    ndpi_load_risk_domain_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */
+  if(fuzzed_data.ConsumeBool())
     ndpi_load_malicious_ja3_file(ndpi_info_mod, "ja3_fingerprints.csv");
   if(fuzzed_data.ConsumeBool())
+    ndpi_load_malicious_ja3_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */
+  if(fuzzed_data.ConsumeBool())
     ndpi_load_malicious_sha1_file(ndpi_info_mod, "sha1_fingerprints.csv");
-  /* Note that this function is not used by ndpiReader */
   if(fuzzed_data.ConsumeBool())
+    ndpi_load_malicious_sha1_file(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "invalid_filename"); /* Error */
+  if(fuzzed_data.ConsumeBool())
+    ndpi_load_domain_suffixes(ndpi_info_mod, (char *)"public_suffix_list.dat");
+  if(fuzzed_data.ConsumeBool())
+    ndpi_load_domain_suffixes(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : (char *)"invalid_filename"); /* Error */
+  /* Note that this function is not used by ndpiReader */
+  if(fuzzed_data.ConsumeBool()) {
+    ndpi_load_ipv4_ptree(ndpi_info_mod, "invalid_filename", NDPI_PROTOCOL_TLS);
     ndpi_load_ipv4_ptree(ndpi_info_mod, "ipv4_addresses.txt", NDPI_PROTOCOL_TLS);
+  }
 
   /* TODO: stub for geo stuff */
   ndpi_load_geoip(ndpi_info_mod, NULL, NULL);
@@ -92,11 +109,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 365 + 1);
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, "tls", "certificate_expiration_threshold", cfg_value);
+    ndpi_get_config(ndpi_info_mod, "tls", "certificate_expiration_threshold", cfg_value, sizeof(cfg_value));
   }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, "tls", "application_blocks_tracking", cfg_value);
+    ndpi_get_config(ndpi_info_mod, "tls", "application_blocks_tracking", cfg_value, sizeof(cfg_value));
   }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
@@ -152,6 +171,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, "any", "log", cfg_value);
+    ndpi_get_config(ndpi_info_mod, "any", "log", cfg_value, sizeof(cfg_value));
   }
   for(i = 0; i < NDPI_MAX_SUPPORTED_PROTOCOLS; i++) {
     if(fuzzed_data.ConsumeBool()) {
@@ -160,12 +180,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
       sprintf(cfg_proto, "%d", i);
       /* TODO: we should try to map integer into name */
       ndpi_set_config(ndpi_info_mod, cfg_proto, "log", cfg_value);
+      ndpi_get_config(ndpi_info_mod, cfg_proto, "log", cfg_value, sizeof(cfg_value));
     }
   }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, "any", "ip_list.load", cfg_value);
+    ndpi_get_config(ndpi_info_mod, "any", "ip_list.load", cfg_value, sizeof(cfg_value));
   }
   for(i = 0; i < NDPI_MAX_SUPPORTED_PROTOCOLS; i++) {
     if(fuzzed_data.ConsumeBool()) {
@@ -173,6 +195,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
       sprintf(cfg_value, "%d", value);
       sprintf(cfg_proto, "%d", i);
       ndpi_set_config(ndpi_info_mod, cfg_proto, "ip_list.load", cfg_value);
+      ndpi_get_config(ndpi_info_mod, cfg_proto, "ip_list.load", cfg_value, sizeof(cfg_value));
     }
   }
   if(fuzzed_data.ConsumeBool()) {
@@ -231,6 +254,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     ndpi_set_config(ndpi_info_mod, NULL, "flow_risk.crawler_bot.list.load", cfg_value);
   }
   if(fuzzed_data.ConsumeBool()) {
+    ndpi_set_config(ndpi_info_mod, NULL, "filename.config", fuzzed_data.ConsumeBool() ? NULL : (char *)"config.txt");
+    ndpi_get_config(ndpi_info_mod, NULL, "filename.config", cfg_value, sizeof(cfg_value));
+  }
+  if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 3 + 1);
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, NULL, "log.level", cfg_value);
@@ -323,9 +350,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
       value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 / 2); /* max / 2 instead of max + 1 to avoid oom on oss-fuzzer */
       sprintf(cfg_param, "lru.%s.size", name);
       ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value);
+      ndpi_get_config(ndpi_info_mod, NULL, cfg_param, cfg_value, sizeof(cfg_value));
       value = fuzzed_data.ConsumeIntegralInRange(0, 16777215 + 1);
       sprintf(cfg_param, "lru.%s.ttl", name);
       ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value);
+      ndpi_get_config(ndpi_info_mod, NULL, cfg_param, cfg_value, sizeof(cfg_value));
     }
   }
   /* Invalid parameter */
@@ -333,13 +362,19 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, NULL, "foo", cfg_value);
+    ndpi_get_config(ndpi_info_mod, NULL, "foo", cfg_value, sizeof(cfg_value));
   }
   /* Invalid value */
   if(fuzzed_data.ConsumeBool()) {
     sprintf(cfg_value, "%s", "jjj");
     ndpi_set_config(ndpi_info_mod, NULL, "lru.stun_zoom.ttl", cfg_value);
+    ndpi_get_config(ndpi_info_mod, NULL, "lru.stun_zoom.ttl", cfg_value, sizeof(cfg_value));
   }
 
+  ndpi_add_host_risk_mask(ndpi_info_mod,
+                          (char *)fuzzed_data.ConsumeBytesAsString(32).c_str(),
+                          static_cast<ndpi_risk>(fuzzed_data.ConsumeIntegral<u_int64_t>()));
+
   ndpi_finalize_initialization(ndpi_info_mod);
 
   /* Random protocol configuration */
@@ -355,8 +390,26 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_is_subprotocol_informative(ndpi_info_mod, pid);
   ndpi_get_proto_breed(ndpi_info_mod, pid);
 
+  ndpi_port_range d_port[MAX_DEFAULT_PORTS] = {};
+  ndpi_set_proto_defaults(ndpi_info_mod, 0, 0, NDPI_PROTOCOL_SAFE, pid,
+                          protoname, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED,
+			  d_port, d_port);
+
   ndpi_get_proto_by_name(ndpi_info_mod, NULL); /* Error */
   ndpi_get_proto_by_name(ndpi_info_mod, "foo"); /* Invalid protocol */
+  ndpi_get_proto_name(ndpi_info_mod, pid);
+  ndpi_get_protocol_id(ndpi_info_mod, protoname);
+
+  struct in_addr pin;
+  struct in6_addr pin6;
+  pin.s_addr = fuzzed_data.ConsumeIntegral<u_int32_t>();
+  ndpi_network_port_ptree_match(ndpi_info_mod, &pin, fuzzed_data.ConsumeIntegral<u_int16_t>());
+  for(i = 0; i < 16; i++)
+    pin6.s6_addr[i] = fuzzed_data.ConsumeIntegral<u_int8_t>();
+  ndpi_network_port_ptree6_match(ndpi_info_mod, &pin6, fuzzed_data.ConsumeIntegral<u_int16_t>());
+
+  ndpi_get_host_domain_suffix(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "www.bbc.co.uk");
+  ndpi_get_host_domain(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : "www.bbc.co.uk");
 
   /* Custom category configuration */
   cat = fuzzed_data.ConsumeIntegralInRange(static_cast<int>(NDPI_PROTOCOL_CATEGORY_CUSTOM_1),
@@ -376,10 +429,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   ndpi_self_check_host_match(stdout);
 
-  ndpi_dump_protocols(ndpi_info_mod, stdout);
-  ndpi_generate_options(fuzzed_data.ConsumeIntegralInRange(0, 4), stdout);
-  ndpi_dump_risks_score(stdout);
-  ndpi_dump_config(ndpi_info_mod, stdout);
+  ndpi_dump_protocols(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : stdout);
+  ndpi_generate_options(fuzzed_data.ConsumeIntegralInRange(0, 4), fuzzed_data.ConsumeBool() ? NULL : stdout);
+  ndpi_dump_risks_score(fuzzed_data.ConsumeBool() ? NULL : stdout);
+  ndpi_dump_config(ndpi_info_mod, fuzzed_data.ConsumeBool() ? NULL : stdout);
 
   /* Basic code to try testing this "config" */
   bool_value = fuzzed_data.ConsumeBool();
@@ -388,6 +441,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   memset(&flow, 0, sizeof(flow));
   std::vector<uint8_t>pkt = fuzzed_data.ConsumeRemainingBytes<uint8_t>();
 
+  const u_int8_t *l4_return;
+  u_int16_t l4_len_return;
+  u_int8_t l4_protocol_return;
+  ndpi_detection_get_l4(pkt.data(), pkt.size(), &l4_return, &l4_len_return, &l4_protocol_return, NDPI_DETECTION_ONLY_IPV6);
+  ndpi_detection_get_l4(pkt.data(), pkt.size(), &l4_return, &l4_len_return, &l4_protocol_return, NDPI_DETECTION_ONLY_IPV4);
+
   ndpi_detection_process_packet(ndpi_info_mod, &flow, pkt.data(), pkt.size(), 0, &input_info);
   p = ndpi_detection_giveup(ndpi_info_mod, &flow, &protocol_was_guessed);
 
@@ -406,7 +465,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_get_http_method(ndpi_info_mod, bool_value ? &flow : NULL);
   ndpi_get_http_url(ndpi_info_mod, &flow);
   ndpi_get_http_content_type(ndpi_info_mod, &flow);
-  check_for_email_address(ndpi_info_mod, 0);
   ndpi_get_flow_name(bool_value ? &flow : NULL);
   /* ndpi_guess_undetected_protocol() is a "strange" function. Try fuzzing it, here */
   if(!ndpi_is_protocol_detected(ndpi_info_mod, p)) {
@@ -423,7 +481,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
                                         flow.c_address.v4, flow.c_port,
                                         flow.s_address.v4, flow.s_port);
     } else {
-      ndpi_find_ipv6_category_userdata(ndpi_info_mod, (struct in6_addr *)flow.c_address.v6);
+      ndpi_find_ipv6_category_userdata(ndpi_info_mod, bool_value ? NULL : (struct in6_addr *)flow.c_address.v6);
     }
     /* Another "strange" function: fuzz it here, for lack of a better alternative */
     ndpi_search_tcp_or_udp(ndpi_info_mod, &flow);
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-01-24 21:16:58 +0100
committer	GitHub <noreply@github.com>	2024-01-24 21:16:58 +0100
commit	d577508727226d44a713f1af38b08769546edd2a (patch)
tree	b04fe77e9665778b1737099c815dd0ebba12777a /fuzz/fuzz_config.cpp
parent	7a83a8dc9122a730a74e5ac644413ae87f94e563 (diff)