From b51a2ac72a3cbd1b470890d0151a46da28e6754e Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Thu, 9 Feb 2023 20:02:12 +0100 Subject: fuzz: some improvements and add two new fuzzers (#1881) Remove `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` define from `fuzz/Makefile.am`; it is already included by the main configure script (when fuzzing). Add a knob to force disabling of AESNI optimizations: this way we can fuzz also no-aesni crypto code. Move CRC32 algorithm into the library. Add some fake traces to extend fuzzing coverage. Note that these traces are hand-made (via scapy/curl) and must not be used as "proof" that the dissectors are really able to identify this kind of traffic. Some small updates to some dissectors: CSGO: remove a wrong rule (never triggered, BTW). Any UDP packet starting with "VS01" will be classified as STEAM (see steam.c around line 111). Googling it, it seems right so. XBOX: XBOX only analyses UDP flows while HTTP only TCP ones; therefore that condition is false. RTP, STUN: removed useless "break"s Zattoo: `flow->zattoo_stage` is never set to any values greater or equal to 5, so these checks are never true. PPStream: `flow->l4.udp.ppstream_stage` is never read. Delete it. TeamSpeak: we check for `flow->packet_counter == 3` just above, so the following check `flow->packet_counter >= 3` is always false. --- fuzz/fuzz_ds_tree.cpp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'fuzz/fuzz_ds_tree.cpp') diff --git a/fuzz/fuzz_ds_tree.cpp b/fuzz/fuzz_ds_tree.cpp index ee00b1723..d06b5b19f 100644 --- a/fuzz/fuzz_ds_tree.cpp +++ b/fuzz/fuzz_ds_tree.cpp @@ -13,7 +13,7 @@ static int __compare(const void *a, const void *b) entry_a = (u_int32_t *)a; entry_b = (u_int32_t *)b; - return entry_a == entry_b ? 0 : (entry_a < entry_b ? -1 : +1); + return *entry_a == *entry_b ? 0 : (*entry_a < *entry_b ? -1 : +1); } static void __free(void * const node) { @@ -22,15 +22,14 @@ static void __free(void * const node) } static void __walk(const void *a, ndpi_VISIT which, int depth, void *user_data) { - assert(user_data == NULL); - assert(a); + assert(user_data == NULL && a); } extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FuzzedDataProvider fuzzed_data(data, size); u_int16_t i, num_iteration, is_added = 0; void *root = NULL; - u_int32_t *entry, value_added, e; + u_int32_t *entry, value_added, e, *e2; /* Just to have some data */ if (fuzzed_data.remaining_bytes() < 1024) @@ -80,11 +79,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { for (i = 0; i < num_iteration; i++) { e = fuzzed_data.ConsumeIntegral(); - ndpi_tdelete(&e, &root, __compare); + e2 = (u_int32_t *)ndpi_tdelete(&e, &root, __compare); + ndpi_free(e2); } /* Delete of an added node */ if (is_added) { - ndpi_tdelete(&value_added, &root, __compare); + e2 = (u_int32_t *)ndpi_tdelete(&value_added, &root, __compare); + ndpi_free(e2); } ndpi_twalk(root, __walk, NULL); -- cgit v1.2.3