diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2023-10-08 20:36:23 +0200 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-10-09 15:41:46 +0200 |
| commit | 1366d9415678a44456f4f8e38adef7114a106273 (patch) | |
| tree | 7c8da81948ca2da57a2c4a1d061604077373f1a5 /fuzz | |
| parent | 86115a8a65c98d0665100b5ae85cc661d1404783 (diff) | |
fuzzing: extend fuzzing coverage
Try fuzzing some functions which write to file/file descriptor; to avoid
slowing the fuzzer, close its stdout
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/Makefile.am | 1 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 6 | ||||
| -rw-r--r-- | fuzz/fuzz_config.options | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_gcrypt_gcm.cpp | 15 |
4 files changed, 21 insertions, 3 deletions
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 2568af4b1..3d865a253 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -626,6 +626,7 @@ distdir: -o -name '*.am' \ -o -name '*.h' \ -o -name '*.cpp' \ + -o -name '*.options' \ -o -name 'ipv4_addresses.txt' \ -o -name 'bd_param.txt' \ -o -name 'splt_param.txt' \ diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index c5ee02042..53d5c2fd8 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -172,7 +172,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_get_ndpi_num_custom_protocols(ndpi_info_mod); ndpi_get_ndpi_num_supported_protocols(ndpi_info_mod); - ndpi_self_check_host_match(stderr); + ndpi_self_check_host_match(stdout); + + ndpi_dump_protocols(ndpi_info_mod, stdout); + ndpi_generate_options(fuzzed_data.ConsumeIntegralInRange(0, 4), stdout); + ndpi_dump_risks_score(stdout); /* Basic code to try testing this "config" */ bool_value = fuzzed_data.ConsumeBool(); diff --git a/fuzz/fuzz_config.options b/fuzz/fuzz_config.options new file mode 100644 index 000000000..1c815b33f --- /dev/null +++ b/fuzz/fuzz_config.options @@ -0,0 +1,2 @@ +[libfuzzer] +close_fd_mask=1 diff --git a/fuzz/fuzz_gcrypt_gcm.cpp b/fuzz/fuzz_gcrypt_gcm.cpp index 37bb35e3d..fb2b0a931 100644 --- a/fuzz/fuzz_gcrypt_gcm.cpp +++ b/fuzz/fuzz_gcrypt_gcm.cpp @@ -20,7 +20,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int key_len, rc_e, rc_d; mbedtls_cipher_id_t cipher; unsigned char *tag; - int iv_len, tag_len, input_length; + int iv_len, tag_len, input_length, force_auth_tag_error; /* No real memory allocations involved */ @@ -28,6 +28,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 1 + 64 + /* iv */ 1 + /* tag_len */ 1 + 64 + /* input */ + 1 + /* force_auth_tag_error */ 1 /* useless data: to be able to add the check with assert */) return -1; @@ -55,6 +56,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { output = (unsigned char *)malloc(input_length); decrypted = (unsigned char *)malloc(input_length); + force_auth_tag_error = fuzzed_data.ConsumeBool(); + cipher = static_cast<mbedtls_cipher_id_t>(fuzzed_data.ConsumeIntegralInRange(0, (int)MBEDTLS_CIPHER_ID_CHACHA20)); assert(fuzzed_data.remaining_bytes() > 0); @@ -74,6 +77,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { output, tag_len, tag); if(rc_e == 0) { + if(force_auth_tag_error && tag_len > 0 && tag[0] != 0) { + tag[0] = 0; + } else { + force_auth_tag_error = 0; + } + rc_d = mbedtls_gcm_auth_decrypt(gcm_d_ctx, input.size(), iv.data(), iv.size(), @@ -81,8 +90,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { tag, tag_len, output, decrypted); - if (rc_d == 0) + if(rc_d == 0) assert(memcmp(input.data(), decrypted, input.size()) == 0); + if(force_auth_tag_error) + assert(rc_d == MBEDTLS_ERR_GCM_AUTH_FAILED); } } |