diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-12-06 17:41:58 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-06 17:41:58 +0100 |
| commit | ada4fe4aa8f88300cfc0dbe6ee965975274b1c40 (patch) | |
| tree | 08010d2055d0159330ded8e5c15113deb0c41c3b /src/lib/protocols | |
| parent | 946c3dba0f6c393c2e41b98103cec3e7308fbf2c (diff) | |
fuzz: add a new fuzzer testing memory allocation failures (#1818)
Try to fuzz error paths triggered by allocation errors.
Fix some errors already found by this new fuzzer.
Basic idea taken from: https://github.com/harfbuzz/harfbuzz/pull/2566/files
`FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` is a standard define used to
(not)compile specific code in fuzzing builds.
See: https://llvm.org/docs/LibFuzzer.html
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/quic.c | 23 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 27 |
2 files changed, 33 insertions, 17 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 7f405b433..2f9a0927c 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -477,8 +477,10 @@ static int tls13_hkdf_expand_label_context(struct ndpi_detection_module_struct * #endif *out = (uint8_t *)ndpi_malloc(out_len); - if(!*out) + if(!*out) { + ndpi_free(info_data); return 0; + } err = hkdf_expand(md, secret->data, secret->data_len, info_data, info_len, *out, out_len); ndpi_free(info_data); @@ -655,8 +657,15 @@ static int quic_pp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_stru static int quic_ciphers_prepare(struct ndpi_detection_module_struct *ndpi_struct, quic_ciphers *ciphers, int hash_algo, int cipher_algo, int cipher_mode, uint8_t *secret, u_int32_t version) { - return quic_hp_cipher_prepare(ndpi_struct, &ciphers->hp_cipher, hash_algo, cipher_algo, secret, version) && - quic_pp_cipher_prepare(ndpi_struct, &ciphers->pp_cipher, hash_algo, cipher_algo, cipher_mode, secret, version); + int ret; + + ret = quic_hp_cipher_prepare(ndpi_struct, &ciphers->hp_cipher, hash_algo, cipher_algo, secret, version); + if(ret != 1) + return ret; + ret = quic_pp_cipher_prepare(ndpi_struct, &ciphers->pp_cipher, hash_algo, cipher_algo, cipher_mode, secret, version); + if(ret != 1) + quic_hp_cipher_reset(&ciphers->hp_cipher); + return ret; } /** * Given a header protection cipher, a buffer and the packet number offset, @@ -1013,7 +1022,7 @@ static void update_reasm_buf_bitmap(u_int8_t *buffer_bitmap, const u_int32_t recv_pos, const u_int32_t recv_len) { - if (!recv_len || !buffer_bitmap_size || recv_pos + recv_len > buffer_bitmap_size * 8) + if (!recv_len || !buffer_bitmap_size || !buffer_bitmap || recv_pos + recv_len > buffer_bitmap_size * 8) return; const u_int32_t start_byte = recv_pos / 8; const u_int32_t end_byte = (recv_pos + recv_len - 1) / 8; @@ -1038,6 +1047,9 @@ static int is_reasm_buf_complete(const u_int8_t *buffer_bitmap, const u_int32_t remaining_bits = buffer_len % 8; u_int32_t i; + if (!buffer_bitmap) + return 0; + for(i = 0; i < complete_bytes; i++) if (buffer_bitmap[i] != 0xff) return 0; @@ -1058,7 +1070,8 @@ static int __reassemble(struct ndpi_flow_struct *flow, const u_int8_t *frag, if(!flow->l4.udp.quic_reasm_buf) { flow->l4.udp.quic_reasm_buf = (uint8_t *)ndpi_malloc(max_quic_reasm_buffer_len); - flow->l4.udp.quic_reasm_buf_bitmap = (uint8_t *)ndpi_calloc(quic_reasm_buffer_bitmap_len, sizeof(uint8_t)); + if(!flow->l4.udp.quic_reasm_buf_bitmap) + flow->l4.udp.quic_reasm_buf_bitmap = (uint8_t *)ndpi_calloc(quic_reasm_buffer_bitmap_len, sizeof(uint8_t)); if(!flow->l4.udp.quic_reasm_buf || !flow->l4.udp.quic_reasm_buf_bitmap) return -1; /* Memory error */ flow->l4.udp.quic_reasm_buf_last_pos = 0; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index e8ce0ea97..05b03d98c 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -146,8 +146,8 @@ static u_int32_t __get_master(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ -void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +int ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; message_t *message = &flow->l4.tcp.tls.message[packet->packet_direction]; u_int avail_bytes; @@ -166,7 +166,7 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct message->buffer = (u_int8_t*)ndpi_malloc(message->buffer_len); if(message->buffer == NULL) - return; + return -1; #ifdef DEBUG_TLS_MEMORY printf("[TLS Mem] Allocating %u buffer\n", message->buffer_len); @@ -179,7 +179,7 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct u_int new_len = message->buffer_len + packet->payload_packet_len - avail_bytes + 1; void *newbuf = ndpi_realloc(message->buffer, message->buffer_len, new_len); - if(!newbuf) return; + if(!newbuf) return -1; #ifdef DEBUG_TLS_MEMORY printf("[TLS Mem] Enlarging %u -> %u buffer\n", message->buffer_len, new_len); @@ -223,6 +223,7 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct #endif } } + return 0; } /* **************************************** */ @@ -973,7 +974,8 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, return 1; /* Keep working */ } - ndpi_search_tls_tcp_memory(ndpi_struct, flow); + if(ndpi_search_tls_tcp_memory(ndpi_struct, flow) == -1) + return 0; /* Error -> stop */ message = &flow->l4.tcp.tls.message[packet->packet_direction]; /* Valid TLS Content Types: @@ -2248,14 +2250,15 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #endif if(flow->protos.tls_quic.advertised_alpns == NULL) { flow->protos.tls_quic.advertised_alpns = ndpi_strdup(alpn_str); + if(flow->protos.tls_quic.advertised_alpns) { + tlsCheckUncommonALPN(ndpi_struct, flow, flow->protos.tls_quic.advertised_alpns); - tlsCheckUncommonALPN(ndpi_struct, flow, flow->protos.tls_quic.advertised_alpns); - - /* Without SNI matching we can try to sub-classify the flow via ALPN. - Note that this happens only on very rare cases, not the common ones - ("h2", "http/1.1", ...). Usefull for asymmetric traffic */ - if(!flow->protos.tls_quic.subprotocol_detected) - tls_subclassify_by_alpn(ndpi_struct, flow); + /* Without SNI matching we can try to sub-classify the flow via ALPN. + Note that this happens only on very rare cases, not the common ones + ("h2", "http/1.1", ...). Usefull for asymmetric traffic */ + if(!flow->protos.tls_quic.subprotocol_detected) + tls_subclassify_by_alpn(ndpi_struct, flow); + } } alpn_str_len = ndpi_min(sizeof(ja3.client.alpn), (size_t)alpn_str_len); |