Added memory boundary check in HTTP dissector

author: Luca Deri <deri@ntop.org> 2020-01-24 21:04:27 +0100
committer: Luca Deri <deri@ntop.org> 2020-01-24 21:04:27 +0100
commit: d86d632fe63114792a1fa150f8290e12bfa8f71d (patch)
tree: a4d95e0143785f970c20cd1a9fd36ace469f1bcd /fuzz
parent: 87d228f78e6d6515fe080e818881f2bc5adf044c (diff)
1 files changed, 58 insertions, 58 deletions
diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
index 1a59d35f0..7de3d45f4 100644
--- a/fuzz/fuzz_ndpi_reader.c
+++ b/fuzz/fuzz_ndpi_reader.c
@@ -18,74 +18,74 @@ u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
 
 int bufferToFile(const char * name, const uint8_t *Data, size_t Size) {
-    FILE * fd;
-    if (remove(name) != 0) {
-        if (errno != ENOENT) {
-            printf("failed remove, errno=%d\n", errno);
-            return -1;
-        }
-    }
-    fd = fopen(name, "wb");
-    if (fd == NULL) {
-        printf("failed open, errno=%d\n", errno);
-        return -2;
-    }
-    if (fwrite (Data, 1, Size, fd) != Size) {
-        fclose(fd);
-        return -3;
+  FILE * fd;
+  if (remove(name) != 0) {
+    if (errno != ENOENT) {
+      printf("failed remove, errno=%d\n", errno);
+      return -1;
     }
+  }
+  fd = fopen(name, "wb");
+  if (fd == NULL) {
+    printf("failed open, errno=%d\n", errno);
+    return -2;
+  }
+  if (fwrite (Data, 1, Size, fd) != Size) {
     fclose(fd);
-    return 0;
+    return -3;
+  }
+  fclose(fd);
+  return 0;
 }
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-    pcap_t * pkts;
-    const u_char *pkt;
-    struct pcap_pkthdr *header;
-    int r;
-    char errbuf[PCAP_ERRBUF_SIZE];
-    NDPI_PROTOCOL_BITMASK all;
+  pcap_t * pkts;
+  const u_char *pkt;
+  struct pcap_pkthdr *header;
+  int r;
+  char errbuf[PCAP_ERRBUF_SIZE];
+  NDPI_PROTOCOL_BITMASK all;
 
+  if (prefs == NULL) {
+    prefs = calloc(sizeof(struct ndpi_workflow_prefs), 1);
     if (prefs == NULL) {
-        prefs = calloc(sizeof(struct ndpi_workflow_prefs), 1);
-        if (prefs == NULL) {
-            //should not happen
-            return 1;
-        }
-        prefs->decode_tunnels = 1;
-        prefs->num_roots = 16;
-        prefs->max_ndpi_flows = 1024;
-        prefs->quiet_mode = 0;
+      //should not happen
+      return 1;
     }
-    bufferToFile("/tmp/fuzz.pcap", Data, Size);
+    prefs->decode_tunnels = 1;
+    prefs->num_roots = 16;
+    prefs->max_ndpi_flows = 1024;
+    prefs->quiet_mode = 0;
+  }
+  bufferToFile("/tmp/fuzz.pcap", Data, Size);
 
-    pkts = pcap_open_offline("/tmp/fuzz.pcap", errbuf);
-    if (pkts == NULL) {
-        return 0;
-    }
-    struct ndpi_workflow * workflow = ndpi_workflow_init(prefs, pkts);
-    // enable all protocols
-    NDPI_BITMASK_SET_ALL(all);
-    ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &all);
-    memset(workflow->stats.protocol_counter, 0,
-           sizeof(workflow->stats.protocol_counter));
-    memset(workflow->stats.protocol_counter_bytes, 0,
-           sizeof(workflow->stats.protocol_counter_bytes));
-    memset(workflow->stats.protocol_flows, 0,
-           sizeof(workflow->stats.protocol_flows));
-    ndpi_finalize_initalization(workflow->ndpi_struct);
+  pkts = pcap_open_offline("/tmp/fuzz.pcap", errbuf);
+  if (pkts == NULL) {
+    return 0;
+  }
+  struct ndpi_workflow * workflow = ndpi_workflow_init(prefs, pkts);
+  // enable all protocols
+  NDPI_BITMASK_SET_ALL(all);
+  ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &all);
+  memset(workflow->stats.protocol_counter, 0,
+	 sizeof(workflow->stats.protocol_counter));
+  memset(workflow->stats.protocol_counter_bytes, 0,
+	 sizeof(workflow->stats.protocol_counter_bytes));
+  memset(workflow->stats.protocol_flows, 0,
+	 sizeof(workflow->stats.protocol_flows));
+  ndpi_finalize_initalization(workflow->ndpi_struct);
 
+  r = pcap_next_ex(pkts, &header, &pkt);
+  while (r > 0) {
+    /* allocate an exact size buffer to check overflows */
+    uint8_t *packet_checked = malloc(header->caplen);
+    memcpy(packet_checked, pkt, header->caplen);
+    ndpi_workflow_process_packet(workflow, header, packet_checked);
+    free(packet_checked);
     r = pcap_next_ex(pkts, &header, &pkt);
-    while (r > 0) {
-        /* allocate an exact size buffer to check overflows */
-        uint8_t *packet_checked = malloc(header->caplen);
-        memcpy(packet_checked, pkt, header->caplen);
-        ndpi_workflow_process_packet(workflow, header, packet_checked);
-        free(packet_checked);
-        r = pcap_next_ex(pkts, &header, &pkt);
-    }
-    ndpi_workflow_free(workflow);
-    pcap_close(pkts);
+  }
+  ndpi_workflow_free(workflow);
+  pcap_close(pkts);
 
-    return 0;
+  return 0;
 }
author	Luca Deri <deri@ntop.org>	2020-01-24 21:04:27 +0100
committer	Luca Deri <deri@ntop.org>	2020-01-24 21:04:27 +0100
commit	d86d632fe63114792a1fa150f8290e12bfa8f71d (patch)
tree	a4d95e0143785f970c20cd1a9fd36ace469f1bcd /fuzz
parent	87d228f78e6d6515fe080e818881f2bc5adf044c (diff)