diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-07-11 10:12:08 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-11 10:12:08 +0200 |
| commit | 950f5cc4e3ddd9bc0f8881950082283aa381c805 (patch) | |
| tree | 4686d9c1b1d0348d06db9d6aa8ed166f449e3238 /fuzz/fuzz_libinjection.c | |
| parent | 859d9ea3c33c3ed54c159658a94381fdd4e7eccb (diff) | |
fuzz: extend fuzzing coverage (#2040)
Some notes:
* libinjection: according to https://github.com/libinjection/libinjection/issues/44,
it seems NULL characters are valid in the input string;
* RTP: `rtp_get_stream_type()` is called only for RTP packets; if you
want to tell RTP from RTCP you should use `is_rtp_or_rtcp()`;
* TLS: unnecessary check; we already make the same check just above, at
the beginning of the `while` loop
Diffstat (limited to 'fuzz/fuzz_libinjection.c')
| -rw-r--r-- | fuzz/fuzz_libinjection.c | 26 |
1 files changed, 7 insertions, 19 deletions
diff --git a/fuzz/fuzz_libinjection.c b/fuzz/fuzz_libinjection.c index f614a62e1..b1d897d23 100644 --- a/fuzz/fuzz_libinjection.c +++ b/fuzz/fuzz_libinjection.c @@ -4,36 +4,24 @@ #include "../src/lib/third_party/include/libinjection_sqli.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - char *query; struct libinjection_sqli_state state; /* No memory allocations involved */ - /* Libinjection: it wants null-terminated string */ - - query = malloc(size + 1); - if (!query) - return 0; - memcpy(query, data, size); - query[size] = '\0'; - - - libinjection_sqli_init(&state, query, strlen(query), 0); /* Default: FLAG_QUOTE_NONE | FLAG_SQL_ANSI */ + libinjection_sqli_init(&state, (char *)data, size, 0); /* Default: FLAG_QUOTE_NONE | FLAG_SQL_ANSI */ libinjection_is_sqli(&state); - libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_SINGLE | FLAG_SQL_ANSI); + libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_SINGLE | FLAG_SQL_ANSI); libinjection_is_sqli(&state); - libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_DOUBLE | FLAG_SQL_ANSI); + libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_DOUBLE | FLAG_SQL_ANSI); libinjection_is_sqli(&state); - libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_NONE | FLAG_SQL_MYSQL); + libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_NONE | FLAG_SQL_MYSQL); libinjection_is_sqli(&state); - libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_SINGLE | FLAG_SQL_MYSQL); + libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_SINGLE | FLAG_SQL_MYSQL); libinjection_is_sqli(&state); - libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_DOUBLE | FLAG_SQL_MYSQL); + libinjection_sqli_init(&state, (char *)data, size, FLAG_QUOTE_DOUBLE | FLAG_SQL_MYSQL); libinjection_is_sqli(&state); - libinjection_xss(query, strlen(query)); - - free(query); + libinjection_xss((char *)data, size); libinjection_version(); |