diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2021-11-15 16:20:57 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-15 16:20:57 +0100 |
| commit | afc2b641eb9cf5035b5147e78030bafe0b40dd87 (patch) | |
| tree | 99cf853d219ae6004819d2564f4cabd29c487cf6 /fuzz | |
| parent | da47357762746c7fc5c537b575b5b56f252320a5 (diff) | |
Fix writes to `flow->protos` union fields (#1354)
We can write to `flow->protos` only after a proper classification.
This issue has been found in Kerberos, DHCP, HTTP, STUN, IMO, FTP,
SMTP, IMAP and POP code.
There are two kinds of fixes:
* write to `flow->protos` only if a final protocol has been detected
* move protocol state out of `flow->protos`
The hard part is to find, for each protocol, the right tradeoff between
memory usage and code complexity.
Handle Kerberos like DNS: if we find a request, we set the protocol
and an extra callback to further parsing the reply.
For all the other protocols, move the state out of `flow->protos`. This
is an issue only for the FTP/MAIL stuff.
Add DHCP Class Identification value to the output of ndpiReader and to
the Jason serialization.
Extend code coverage of fuzz tests.
Close #1343
Close #1342
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/Makefile.am | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_process_packet.c | 10 |
2 files changed, 9 insertions, 3 deletions
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index ade21ac5a..dc149968a 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -46,7 +46,7 @@ fuzz_ndpi_reader_with_main_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS # required for Google oss-fuzz # see https://github.com/google/oss-fuzz/tree/master/projects/ndpi -testpcaps := $(wildcard ../tests/pcap/*.pcap) +testpcaps := $(wildcard ../tests/pcap/*.pcap*) fuzz_ndpi_reader_seed_corpus.zip: $(testpcaps) zip -r fuzz_ndpi_reader_seed_corpus.zip $(testpcaps) diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c index 9efd80799..b8780b7a8 100644 --- a/fuzz/fuzz_process_packet.c +++ b/fuzz/fuzz_process_packet.c @@ -8,13 +8,18 @@ struct ndpi_id_struct *src; struct ndpi_id_struct *dst; int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + uint8_t protocol_was_guessed; + if (ndpi_info_mod == NULL) { - ndpi_info_mod = ndpi_init_detection_module(ndpi_no_prefs); - NDPI_PROTOCOL_BITMASK all; + ndpi_info_mod = ndpi_init_detection_module(ndpi_enable_ja3_plus); + NDPI_PROTOCOL_BITMASK all, debug_bitmask; NDPI_BITMASK_SET_ALL(all); + NDPI_BITMASK_SET_ALL(debug_bitmask); ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all); src = ndpi_malloc(SIZEOF_ID_STRUCT); dst = ndpi_malloc(SIZEOF_ID_STRUCT); + ndpi_set_log_level(ndpi_info_mod, 4); + ndpi_set_debug_bitmask(ndpi_info_mod, debug_bitmask); ndpi_finalize_initialization(ndpi_info_mod); } @@ -23,6 +28,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { memset(src, 0, SIZEOF_ID_STRUCT); memset(dst, 0, SIZEOF_ID_STRUCT); ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0, src, dst); + ndpi_detection_giveup(ndpi_info_mod, ndpi_flow, 1, &protocol_was_guessed); ndpi_free_flow(ndpi_flow); return 0; |