From b51a2ac72a3cbd1b470890d0151a46da28e6754e Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Thu, 9 Feb 2023 20:02:12 +0100 Subject: fuzz: some improvements and add two new fuzzers (#1881) Remove `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` define from `fuzz/Makefile.am`; it is already included by the main configure script (when fuzzing). Add a knob to force disabling of AESNI optimizations: this way we can fuzz also no-aesni crypto code. Move CRC32 algorithm into the library. Add some fake traces to extend fuzzing coverage. Note that these traces are hand-made (via scapy/curl) and must not be used as "proof" that the dissectors are really able to identify this kind of traffic. Some small updates to some dissectors: CSGO: remove a wrong rule (never triggered, BTW). Any UDP packet starting with "VS01" will be classified as STEAM (see steam.c around line 111). Googling it, it seems right so. XBOX: XBOX only analyses UDP flows while HTTP only TCP ones; therefore that condition is false. RTP, STUN: removed useless "break"s Zattoo: `flow->zattoo_stage` is never set to any values greater or equal to 5, so these checks are never true. PPStream: `flow->l4.udp.ppstream_stage` is never read. Delete it. TeamSpeak: we check for `flow->packet_counter == 3` just above, so the following check `flow->packet_counter >= 3` is always false. --- fuzz/fuzz_ds_ptree.cpp | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 fuzz/fuzz_ds_ptree.cpp (limited to 'fuzz/fuzz_ds_ptree.cpp') diff --git a/fuzz/fuzz_ds_ptree.cpp b/fuzz/fuzz_ds_ptree.cpp new file mode 100644 index 000000000..ae92a0257 --- /dev/null +++ b/fuzz/fuzz_ds_ptree.cpp @@ -0,0 +1,71 @@ +#include "ndpi_api.h" +#include "fuzz_common_code.h" + +#include +#include +#include +#include "fuzzer/FuzzedDataProvider.h" + + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fuzzed_data(data, size); + u_int16_t i, num_iteration; + ndpi_ptree_t *t; + ndpi_ip_addr_t addr, addr_added; + u_int8_t bits; + int rc, is_added = 0; + u_int64_t user_data; + + /* To allow memory allocation failures */ + fuzz_set_alloc_callbacks_and_seed(size); + + t = ndpi_ptree_create(); + + /* Random insert */ + num_iteration = fuzzed_data.ConsumeIntegral(); + for (i = 0; i < num_iteration; i++) { + if (fuzzed_data.ConsumeBool()) { + if(fuzzed_data.remaining_bytes() > 16) { + memcpy(&addr.ipv6, fuzzed_data.ConsumeBytes(16).data(), 16); + bits = fuzzed_data.ConsumeIntegralInRange(0, 128); + } else { + continue; + } + } else { + memset(&addr, '\0', sizeof(addr)); + addr.ipv4 = fuzzed_data.ConsumeIntegral(); + bits = fuzzed_data.ConsumeIntegralInRange(0, 32); + }; + + rc = ndpi_ptree_insert(t, &addr, bits, 0); + /* Keep one random node really added */ + if (rc == 0 && is_added == 0 && fuzzed_data.ConsumeBool()) { + is_added = 1; + addr_added = addr; + } + } + + /* Random search */ + num_iteration = fuzzed_data.ConsumeIntegral(); + for (i = 0; i < num_iteration; i++) { + if (fuzzed_data.ConsumeBool()) { + if(fuzzed_data.remaining_bytes() > 16) { + memcpy(&addr.ipv6, fuzzed_data.ConsumeBytes(16).data(), 16); + } else { + continue; + } + } else { + memset(&addr, '\0', sizeof(addr)); + addr.ipv4 = fuzzed_data.ConsumeIntegral(); + }; + + ndpi_ptree_match_addr(t, &addr, &user_data); + } + /* Search of an added node */ + if (is_added) + ndpi_ptree_match_addr(t, &addr_added, &user_data); + + ndpi_ptree_destroy(t); + + return 0; +} -- cgit v1.2.3