fuzz: extend fuzzing coverage (#2040)

Some notes: * libinjection: according to https://github.com/libinjection/libinjection/issues/44, it seems NULL characters are valid in the input string; * RTP: `rtp_get_stream_type()` is called only for RTP packets; if you want to tell RTP from RTCP you should use `is_rtp_or_rtcp()`; * TLS: unnecessary check; we already make the same check just above, at the beginning of the `while` loop
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2023-07-11 10:12:08 +0200
committer: GitHub <noreply@github.com> 2023-07-11 10:12:08 +0200
commit: 950f5cc4e3ddd9bc0f8881950082283aa381c805 (patch)
tree: 4686d9c1b1d0348d06db9d6aa8ed166f449e3238 /src/lib
parent: 859d9ea3c33c3ed54c159658a94381fdd4e7eccb (diff)
5 files changed, 25 insertions, 28 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 839e8a334..1d2d728d4 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -334,6 +334,9 @@ u_int16_t ndpi_map_user_proto_id_to_ndpi_id(struct ndpi_detection_module_struct
 #endif
 #endif
 
+  if(!ndpi_str)
+    return(0);
+
   if(user_proto_id < NDPI_MAX_SUPPORTED_PROTOCOLS)
     return(user_proto_id);
   else {
@@ -363,6 +366,9 @@ u_int16_t ndpi_map_ndpi_id_to_user_proto_id(struct ndpi_detection_module_struct
 #endif
 #endif
 
+  if(!ndpi_str)
+    return(0);
+
   if(ndpi_proto_id < NDPI_MAX_SUPPORTED_PROTOCOLS)
     return(ndpi_proto_id);
   else if(ndpi_proto_id < ndpi_str->ndpi_num_supported_protocols) {
@@ -713,7 +719,6 @@ static u_int8_t ndpi_is_middle_string_char(char c) {
   case '.':
   case '-':
     return(1);
-    break;
 
   default:
     return(0);
@@ -2225,10 +2230,11 @@ int ndpi_get_patricia_stats(struct ndpi_detection_module_struct *ndpi_struct,
 /* ****************************************************** */
 
 int ndpi_fill_prefix_v4(ndpi_prefix_t *p, const struct in_addr *a, int b, int mb) {
+  memset(p, 0, sizeof(ndpi_prefix_t));
+
   if(b < 0 || b > mb)
     return(-1);
 
-  memset(p, 0, sizeof(ndpi_prefix_t));
   p->add.sin.s_addr = a->s_addr, p->family = AF_INET, p->bitlen = b, p->ref_count = 0;
 
   return(0);
@@ -2237,6 +2243,8 @@ int ndpi_fill_prefix_v4(ndpi_prefix_t *p, const struct in_addr *a, int b, int mb
 /* ******************************************* */
 
 int ndpi_fill_prefix_v6(ndpi_prefix_t *prefix, const struct in6_addr *addr, int bits, int maxbits) {
+  memset(prefix, 0, sizeof(ndpi_prefix_t));
+
   if(bits < 0 || bits > maxbits)
     return -1;
 
@@ -8165,11 +8173,9 @@ int ndpi_is_custom_category(ndpi_protocol_category_t category) {
   case NDPI_PROTOCOL_CATEGORY_CUSTOM_4:
   case NDPI_PROTOCOL_CATEGORY_CUSTOM_5:
     return(1);
-    break;
 
   default:
     return(0);
-    break;
   }
 }
 
@@ -9166,19 +9172,15 @@ const char *ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) {
   switch(proto) {
   case ndpi_l4_proto_unknown:
     return("");
-    break;
 
   case ndpi_l4_proto_tcp_only:
     return("TCP");
-    break;
 
   case ndpi_l4_proto_udp_only:
     return("UDP");
-    break;
 
   case ndpi_l4_proto_tcp_and_udp:
     return("TCP/UDP");
-    break;
   }
 
   return("");
@@ -9913,6 +9915,11 @@ u_int32_t ndpi_get_protocol_aggressiveness(struct ndpi_detection_module_struct *
 
 void ndpi_set_user_data(struct ndpi_detection_module_struct *ndpi_str, void *user_data)
 {
+  if (ndpi_str == NULL)
+  {
+    return;
+  }
+
   if (ndpi_str->user_data != NULL)
   {
     NDPI_LOG_ERR(ndpi_str, "%s", "User data is already set. Overwriting.")
@@ -9923,5 +9930,7 @@ void ndpi_set_user_data(struct ndpi_detection_module_struct *ndpi_str, void *use
 
 void *ndpi_get_user_data(struct ndpi_detection_module_struct *ndpi_str)
 {
-  return ndpi_str->user_data;
+  if(ndpi_str)
+    return ndpi_str->user_data;
+  return NULL;
 }
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 8356c39b3..bd7c922ad 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1627,31 +1627,24 @@ const char* ndpi_tunnel2str(ndpi_packet_tunnel tt) {
   switch(tt) {
   case ndpi_no_tunnel:
     return("No-Tunnel");
-    break;
 
   case ndpi_gtp_tunnel:
     return("GTP");
-    break;
 
   case ndpi_capwap_tunnel:
     return("CAPWAP");
-    break;
 
   case ndpi_tzsp_tunnel:
     return("TZSP");
-    break;
 
   case ndpi_l2tp_tunnel:
     return("L2TP");
-    break;
 
   case ndpi_vxlan_tunnel:
     return("VXLAN");
-    break;
 
   case ndpi_gre_tunnel:
     return("GRE");
-    break;
   }
 
   return("");
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index 68a1a2ac9..9d48aecb1 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -62,7 +62,7 @@ u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_
   case 117: /* G.722 */
   case 118: /* Comfort Noise Wideband */
     *s_type = ndpi_multimedia_audio_flow;
-    return(1 /* RTP */);
+    return(1);
     
   case 34: /* H.263 [MS-H26XPF] */
   case 121: /* RT Video */
@@ -70,14 +70,7 @@ u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_
   case 123: /* H.264 FEC [MS-H264PF] */
   case 127: /* x-data */
     *s_type = ndpi_multimedia_video_flow;
-    return(1 /* RTP */);
-
-  case 200: /* RTCP PACKET SENDER */
-  case 201: /* RTCP PACKET RECEIVER */
-  case 202: /* RTCP Source Description */
-  case 203: /* RTCP Bye */
-    *s_type = ndpi_multimedia_unknown_flow;
-    return(2 /* RTCP */);
+    return(1);
 
   default:
     *s_type = ndpi_multimedia_unknown_flow;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 709a77a96..157e57868 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -656,9 +656,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
 			     dNSName);
 #endif
 
-		      if(flow->host_server_name[0] == '\0') {
-			matched_name = 1;	/* No SNI */
-		      } else if(dNSName[0] == '*') {
+		      if(dNSName[0] == '*') {
 			char * label = strstr(flow->host_server_name, &dNSName[1]);
 
 			if(label != NULL) {
diff --git a/src/lib/third_party/src/libinjection_xss.c b/src/lib/third_party/src/libinjection_xss.c
index 3ef827df9..f329d8b87 100644
--- a/src/lib/third_party/src/libinjection_xss.c
+++ b/src/lib/third_party/src/libinjection_xss.c
@@ -78,6 +78,10 @@ static int html_decode_char_at(const char* src, size_t len, size_t* consumed)
         return '&';
     }
 
+    if (len < 4) {
+        return (unsigned char)(*(src+1));
+    }
+
     if (*(src+2) == 'x' || *(src+2) == 'X') {
         ch = (unsigned char) (*(src+3));
         ch = gsHexDecodeMap[ch];
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2023-07-11 10:12:08 +0200
committer	GitHub <noreply@github.com>	2023-07-11 10:12:08 +0200
commit	950f5cc4e3ddd9bc0f8881950082283aa381c805 (patch)
tree	4686d9c1b1d0348d06db9d6aa8ed166f449e3238 /src/lib
parent	859d9ea3c33c3ed54c159658a94381fdd4e7eccb (diff)