7 files changed, 72 insertions, 13 deletions

diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
index 3871faaa2..45efdbb3f 100644
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@@ -47,8 +47,8 @@ fuzz_ndpi_reader_alloc_fail_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAG
     $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
     $(fuzz_ndpi_reader_alloc_fail_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 
-fuzz_ndpi_reader_payload_analyzer_SOURCES = fuzz_ndpi_reader.c ../example/reader_util.c
-fuzz_ndpi_reader_payload_analyzer_CFLAGS = -I../example/ @NDPI_CFLAGS@ $(CXXFLAGS) -DENABLE_PAYLOAD_ANALYZER
+fuzz_ndpi_reader_payload_analyzer_SOURCES = fuzz_ndpi_reader.c fuzz_common_code.c ../example/reader_util.c
+fuzz_ndpi_reader_payload_analyzer_CFLAGS = -I../example/ @NDPI_CFLAGS@ $(CXXFLAGS) -DENABLE_MEM_ALLOC_FAILURES -DENABLE_PAYLOAD_ANALYZER
 fuzz_ndpi_reader_payload_analyzer_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
 fuzz_ndpi_reader_payload_analyzer_LDFLAGS = $(PCAP_LIB) $(LIBS)
 if HAS_FUZZLDFLAGS
diff --git a/fuzz/fuzz_alg_hw_rsi_outliers_da.cpp b/fuzz/fuzz_alg_hw_rsi_outliers_da.cpp
index 06274cdfe..3ea9551e4 100644
--- a/fuzz/fuzz_alg_hw_rsi_outliers_da.cpp
+++ b/fuzz/fuzz_alg_hw_rsi_outliers_da.cpp
@@ -81,6 +81,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_data_entropy(a);
   ndpi_reset_data_analysis(a);
 
+  ndpi_hw_reset(&hw);
+
   /* Data ratio */
   if (num_values > 1)
     ndpi_data_ratio2str(ndpi_data_ratio(values[0], values[1]));
diff --git a/fuzz/fuzz_alg_ses_des.cpp b/fuzz/fuzz_alg_ses_des.cpp
index 45c1f189e..b524d2fcb 100644
--- a/fuzz/fuzz_alg_ses_des.cpp
+++ b/fuzz/fuzz_alg_ses_des.cpp
@@ -45,5 +45,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
       ndpi_des_add_value(&d, value, &forecast, &confidence_band);
   }
 
+  ndpi_ses_reset(&s);
+  ndpi_des_reset(&d);
+
   return 0;
 }
diff --git a/fuzz/fuzz_common_code.c b/fuzz/fuzz_common_code.c
index 30dc5baa7..88b7adf2d 100644
--- a/fuzz/fuzz_common_code.c
+++ b/fuzz/fuzz_common_code.c
@@ -38,19 +38,16 @@ void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_
 {
   ndpi_init_prefs prefs = ndpi_enable_ja3_plus;
   NDPI_PROTOCOL_BITMASK all;
+  NDPI_PROTOCOL_BITMASK debug_bitmask;
 
   if(*ndpi_info_mod == NULL) {
     *ndpi_info_mod = ndpi_init_detection_module(prefs);
     NDPI_BITMASK_SET_ALL(all);
     ndpi_set_protocol_detection_bitmask2(*ndpi_info_mod, &all);
 
-#if 0
-    NDPI_PROTOCOL_BITMASK debug_bitmask;
-
     NDPI_BITMASK_SET_ALL(debug_bitmask);
     ndpi_set_log_level(*ndpi_info_mod, 4);
     ndpi_set_debug_bitmask(*ndpi_info_mod, debug_bitmask);
-#endif
 
     ndpi_load_protocols_file(*ndpi_info_mod, "protos.txt");
     ndpi_load_categories_file(*ndpi_info_mod, "categories.txt", NULL);
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
index 8f98c5929..ceddaaf85 100644
--- a/fuzz/fuzz_config.cpp
+++ b/fuzz/fuzz_config.cpp
@@ -1,4 +1,5 @@
 #include "ndpi_api.h"
+#include "ndpi_classify.h"
 #include "fuzz_common_code.h"
 
 #include <stdint.h>
@@ -25,6 +26,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   struct ndpi_flow_input_info input_info;
   ndpi_proto p, p2;
   char out[128];
+  char log_ts[32];
 
 
   if(fuzzed_data.remaining_bytes() < 4 + /* ndpi_init_detection_module() */
@@ -32,10 +34,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 				     1 + /* TLS cert expire */
 				     6 + /* files */
 				     ((NDPI_LRUCACHE_MAX + 1) * 5) + /* LRU caches */
-				     2 + 1 + 5 + /* ndpi_set_detection_preferences() */
+				     2 + 1 + 4 + /* ndpi_set_detection_preferences() */
 				     7 + /* Opportunistic tls */
 				     2 + /* Pid */
 				     2 + /* Category */
+				     1 + /* Tunnel */
 				     1 + /* Bool value */
 				     2 + /* input_info */
 				     21 /* Min real data: ip length + 1 byte of L4 header */)
@@ -82,6 +85,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     ndpi_get_lru_cache_ttl(ndpi_info_mod, static_cast<lru_cache_type>(i), &num);
   }
 
+  /* TODO: stub for geo stuff */
+  ndpi_load_geoip(ndpi_info_mod, NULL, NULL);
+
   if(fuzzed_data.ConsumeBool())
     ndpi_set_detection_preferences(ndpi_info_mod, ndpi_pref_direction_detect_disable,
                                    fuzzed_data.ConsumeBool());
@@ -90,7 +96,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
                                    0 /* unused */);
   if(fuzzed_data.ConsumeBool())
     ndpi_set_detection_preferences(ndpi_info_mod, ndpi_pref_max_packets_to_process,
-                                   fuzzed_data.ConsumeIntegralInRange(0, (1 << 24)));
+                                   fuzzed_data.ConsumeIntegralInRange(0, (1 << 16)));
 
   ndpi_set_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP, fuzzed_data.ConsumeBool());
   ndpi_get_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP);
@@ -121,7 +127,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   }
   ndpi_set_proto_breed(ndpi_info_mod, pid, NDPI_PROTOCOL_SAFE);
   ndpi_set_proto_category(ndpi_info_mod, pid, NDPI_PROTOCOL_CATEGORY_MEDIA);
-  ndpi_is_subprotocol_informative(ndpi_info_mod, pid);
 
   /* Custom category configuration */
   cat = fuzzed_data.ConsumeIntegralInRange(static_cast<int>(NDPI_PROTOCOL_CATEGORY_CUSTOM_1),
@@ -131,20 +136,27 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_category_get_name(ndpi_info_mod, static_cast<ndpi_protocol_category_t>(cat));
   ndpi_get_category_id(ndpi_info_mod, catname);
 
+  ndpi_tunnel2str(static_cast<ndpi_packet_tunnel>(fuzzed_data.ConsumeIntegralInRange(static_cast<int>(ndpi_no_tunnel),
+                                                                                     static_cast<int>(ndpi_gre_tunnel + 1)))); /* + 1 to trigger invalid value */
+
   ndpi_get_num_supported_protocols(ndpi_info_mod);
+  ndpi_get_proto_defaults(ndpi_info_mod);
   ndpi_get_ndpi_num_custom_protocols(ndpi_info_mod);
+  ndpi_get_ndpi_num_supported_protocols(ndpi_info_mod);
 
   ndpi_self_check_host_match(stderr);
 
   /* Basic code to try testing this "config" */
   bool_value = fuzzed_data.ConsumeBool();
-  input_info.in_pkt_dir = !!fuzzed_data.ConsumeBool();
+  input_info.in_pkt_dir = fuzzed_data.ConsumeIntegralInRange(0,2);
   input_info.seen_flow_beginning = !!fuzzed_data.ConsumeBool();
   memset(&flow, 0, sizeof(flow));
   std::vector<uint8_t>pkt = fuzzed_data.ConsumeRemainingBytes<uint8_t>();
   assert(pkt.size() >= 21); /* To be sure check on fuzzed_data.remaining_bytes() at the beginning is right */
+
   ndpi_detection_process_packet(ndpi_info_mod, &flow, pkt.data(), pkt.size(), 0, &input_info);
   p = ndpi_detection_giveup(ndpi_info_mod, &flow, 1, &protocol_was_guessed);
+
   assert(p.master_protocol == ndpi_get_flow_masterprotocol(ndpi_info_mod, &flow));
   assert(p.app_protocol == ndpi_get_flow_appprotocol(ndpi_info_mod, &flow));
   assert(p.category == ndpi_get_flow_category(ndpi_info_mod, &flow));
@@ -154,6 +166,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_get_flow_risk_info(&flow, out, sizeof(out), 1);
   ndpi_get_flow_ndpi_proto(ndpi_info_mod, &flow, &p2);
   ndpi_is_proto(p, NDPI_PROTOCOL_TLS);
+  ndpi_http_method2str(flow.http.method);
+  ndpi_get_l4_proto_name(ndpi_get_l4_proto_info(ndpi_info_mod, p.app_protocol));
+  ndpi_is_subprotocol_informative(ndpi_info_mod, p.app_protocol);
+  ndpi_get_http_method(ndpi_info_mod, &flow);
+  ndpi_get_http_url(ndpi_info_mod, &flow);
+  ndpi_get_http_content_type(ndpi_info_mod, &flow);
+  ndpi_check_for_email_address(ndpi_info_mod, 0);
   /* ndpi_guess_undetected_protocol() is a "strange" function. Try fuzzing it, here */
   if(!ndpi_is_protocol_detected(ndpi_info_mod, p)) {
     ndpi_guess_undetected_protocol(ndpi_info_mod, bool_value ? &flow : NULL,
@@ -161,10 +180,24 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     if(!flow.is_ipv6) {
       /* Another "strange" function (ipv4 only): fuzz it here, for lack of a better alternative */
       ndpi_find_ipv4_category_userdata(ndpi_info_mod, flow.c_address.v4);
+
+      ndpi_search_tcp_or_udp_raw(ndpi_info_mod, NULL, 0, ntohl(flow.c_address.v4), ntohl(flow.s_address.v4));
     }
     /* Another "strange" function: fuzz it here, for lack of a better alternative */
     ndpi_search_tcp_or_udp(ndpi_info_mod, &flow);
   }
+  if(!flow.is_ipv6) {
+    ndpi_network_ptree_match(ndpi_info_mod, (struct in_addr *)&flow.c_address.v4);
+
+    ndpi_risk_params params[] = { { NDPI_PARAM_HOSTNAME, flow.host_server_name},
+                                  { NDPI_PARAM_ISSUER_DN, flow.host_server_name},
+                                  { NDPI_PARAM_HOST_IPV4, &flow.c_address.v4} };
+    ndpi_check_flow_risk_exceptions(ndpi_info_mod, 3, params);
+  }
+  /* TODO: stub for geo stuff */
+  ndpi_get_geoip_asn(ndpi_info_mod, NULL, NULL);
+  ndpi_get_geoip_country_continent(ndpi_info_mod, NULL, NULL, 0, NULL, 0);
+
   ndpi_free_flow_data(&flow);
 
   /* Get some final stats */
@@ -180,6 +213,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_get_api_version();
   ndpi_get_gcrypt_version();
 
+  ndpi_get_ndpi_detection_module_size();
+  ndpi_detection_get_sizeof_ndpi_flow_struct();
+  ndpi_detection_get_sizeof_ndpi_flow_tcp_struct();
+  ndpi_detection_get_sizeof_ndpi_flow_udp_struct();
+
+  ndpi_get_tot_allocated_memory();
+  ndpi_log_timestamp(log_ts, sizeof(log_ts));
+
+  ndpi_free_geoip(ndpi_info_mod);
+
   ndpi_exit_detection_module(ndpi_info_mod);
 
   return 0;
diff --git a/fuzz/fuzz_libinjection.c b/fuzz/fuzz_libinjection.c
index 9fd60107b..c878fe823 100644
--- a/fuzz/fuzz_libinjection.c
+++ b/fuzz/fuzz_libinjection.c
@@ -5,7 +5,7 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   char *query;
-  char fingerprint[8];
+  struct libinjection_sqli_state state;
 
   /* No memory allocations involved */
 
@@ -15,11 +15,25 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   memcpy(query, data, size);
   query[size] = '\0';
 
-  libinjection_sqli(query, strlen(query), fingerprint);
+
+  libinjection_sqli_init(&state, query, strlen(query), 0); /* Default: FLAG_QUOTE_NONE | FLAG_SQL_ANSI */
+  libinjection_is_sqli(&state);
+  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_SINGLE | FLAG_SQL_ANSI);
+  libinjection_is_sqli(&state);
+  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_DOUBLE | FLAG_SQL_ANSI);
+  libinjection_is_sqli(&state);
+  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_NONE | FLAG_SQL_MYSQL);
+  libinjection_is_sqli(&state);
+  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_SINGLE | FLAG_SQL_MYSQL);
+  libinjection_is_sqli(&state);
+  libinjection_sqli_init(&state, query, strlen(query), FLAG_QUOTE_DOUBLE | FLAG_SQL_MYSQL);
+  libinjection_is_sqli(&state);
 
   libinjection_xss(query, strlen(query));
 
   free(query);
 
+  libinjection_version();
+
   return 0;
 }
diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
index 252503d63..4ae6a8246 100644
--- a/fuzz/fuzz_ndpi_reader.c
+++ b/fuzz/fuzz_ndpi_reader.c
@@ -21,7 +21,7 @@ u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Sign
 ndpi_init_prefs init_prefs = ndpi_track_flow_payload | ndpi_enable_ja3_plus;
 int enable_malloc_bins = 1;
 int malloc_size_stats = 0;
-int max_malloc_bins = 0;
+int max_malloc_bins = 14;
 struct ndpi_bin malloc_bins; /* unused */
 
 extern void ndpi_report_payload_stats(int print);