fuzz: some improvements and add two new fuzzers (#1881)

Remove `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` define from
`fuzz/Makefile.am`; it is already included by the main configure script
(when fuzzing).

Add a knob to force disabling of AESNI optimizations: this way we can
fuzz also no-aesni crypto code.

Move CRC32 algorithm into the library.

Add some fake traces to extend fuzzing coverage. Note that these traces
are hand-made (via scapy/curl) and must not be used as "proof" that the
dissectors are really able to identify this kind of traffic.

Some small updates to some dissectors:

CSGO: remove a wrong rule (never triggered, BTW). Any UDP packet starting
with "VS01" will be classified as STEAM (see steam.c around line 111).
Googling it, it seems right so.

XBOX: XBOX only analyses UDP flows while HTTP only TCP ones; therefore
that condition is false.

RTP, STUN: removed useless "break"s

Zattoo: `flow->zattoo_stage` is never set to any values greater or equal
to 5, so these checks are never true.

PPStream: `flow->l4.udp.ppstream_stage` is never read. Delete it.

TeamSpeak: we check for `flow->packet_counter == 3` just above, so the
following check `flow->packet_counter >= 3` is always false.

1 files changed, 71 insertions, 0 deletions

diff --git a/fuzz/fuzz_ds_ptree.cpp b/fuzz/fuzz_ds_ptree.cpp
new file mode 100644
index 000000000..ae92a0257
--- /dev/null
+++ b/fuzz/fuzz_ds_ptree.cpp
@@ -0,0 +1,71 @@
+#include "ndpi_api.h"
+#include "fuzz_common_code.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include <assert.h>
+#include "fuzzer/FuzzedDataProvider.h"
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  FuzzedDataProvider fuzzed_data(data, size);
+  u_int16_t i, num_iteration;
+  ndpi_ptree_t *t;
+  ndpi_ip_addr_t addr, addr_added;
+  u_int8_t bits;
+  int rc, is_added = 0;
+  u_int64_t user_data;
+
+  /* To allow memory allocation failures */
+  fuzz_set_alloc_callbacks_and_seed(size);
+
+  t = ndpi_ptree_create();
+
+  /* Random insert */
+  num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>();
+  for (i = 0; i < num_iteration; i++) {
+    if (fuzzed_data.ConsumeBool()) {
+      if(fuzzed_data.remaining_bytes() > 16) {
+	memcpy(&addr.ipv6, fuzzed_data.ConsumeBytes<u_int8_t>(16).data(), 16);
+        bits = fuzzed_data.ConsumeIntegralInRange(0, 128);
+      } else {
+        continue;
+      }
+    } else {
+      memset(&addr, '\0', sizeof(addr));
+      addr.ipv4 = fuzzed_data.ConsumeIntegral<u_int32_t>();
+      bits = fuzzed_data.ConsumeIntegralInRange(0, 32);
+    };
+
+    rc = ndpi_ptree_insert(t, &addr, bits, 0);
+    /* Keep one random node really added */
+    if (rc == 0 && is_added == 0 && fuzzed_data.ConsumeBool()) {
+      is_added = 1;
+      addr_added = addr;
+    }
+  }
+
+  /* Random search */
+  num_iteration = fuzzed_data.ConsumeIntegral<u_int8_t>();
+  for (i = 0; i < num_iteration; i++) {
+    if (fuzzed_data.ConsumeBool()) {
+      if(fuzzed_data.remaining_bytes() > 16) {
+	memcpy(&addr.ipv6, fuzzed_data.ConsumeBytes<u_int8_t>(16).data(), 16);
+      } else {
+        continue;
+      }
+    } else {
+      memset(&addr, '\0', sizeof(addr));
+      addr.ipv4 = fuzzed_data.ConsumeIntegral<u_int32_t>();
+    };
+
+    ndpi_ptree_match_addr(t, &addr, &user_data);
+  }
+  /* Search of an added node */
+  if (is_added)
+    ndpi_ptree_match_addr(t, &addr_added, &user_data);
+
+  ndpi_ptree_destroy(t);
+
+  return 0;
+}