From b539b0d0902bc0fda235d8bbf1bc7f64e9028465 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Tue, 7 Nov 2023 17:46:29 +0100 Subject: fuzz: improve coverage and remove dead code (#2135) We are not able to remove custom rules: remove the empty stubs (which originate from the original OpenDPI code). `ndpi_guess_protocol_id()` is only called on the first packet of the flow, so the bitmask `flow->excluded_protocol_bitmask` is always empty, since we didn't call any dissectors yet. Move another hash function to the dedicated source file. --- fuzz/fuzz_alg_crc32_md5.c | 3 +++ fuzz/fuzz_ds_hash.cpp | 2 ++ fuzz/fuzz_gcrypt_cipher.cpp | 42 ++++++++++++++++++++++++------------------ fuzz/fuzz_gcrypt_gcm.cpp | 10 +++++++--- 4 files changed, 36 insertions(+), 21 deletions(-) (limited to 'fuzz') diff --git a/fuzz/fuzz_alg_crc32_md5.c b/fuzz/fuzz_alg_crc32_md5.c index 1f45e476e..def56566c 100644 --- a/fuzz/fuzz_alg_crc32_md5.c +++ b/fuzz/fuzz_alg_crc32_md5.c @@ -15,6 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_murmur_hash((const char *)data, size); ndpi_quick_hash(data, size); + if(size >= 16) + ndpi_quick_16_byte_hash(data); + str = ndpi_malloc(size + 1); if(str) { memcpy(str, data, size); diff --git a/fuzz/fuzz_ds_hash.cpp b/fuzz/fuzz_ds_hash.cpp index 5b26d684b..2b7463b49 100644 --- a/fuzz/fuzz_ds_hash.cpp +++ b/fuzz/fuzz_ds_hash.cpp @@ -57,6 +57,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_hash_find_entry(h, value_added.data(), value_added.size(), &value); } + if (fuzzed_data.ConsumeBool()) + ndpi_hash_free(NULL, cleanup_func); ndpi_hash_free(&h, cleanup_func); return 0; diff --git a/fuzz/fuzz_gcrypt_cipher.cpp b/fuzz/fuzz_gcrypt_cipher.cpp index 7eaffcdc2..270c583ea 100644 --- a/fuzz/fuzz_gcrypt_cipher.cpp +++ b/fuzz/fuzz_gcrypt_cipher.cpp @@ -67,28 +67,34 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { rc_e = mbedtls_cipher_setkey(ctx_e, key.data(), key.size() * 8, MBEDTLS_ENCRYPT); rc_d = mbedtls_cipher_setkey(ctx_d, key.data(), key.size() * 8, MBEDTLS_DECRYPT); if(rc_e == 0 && rc_d == 0) { - rc_e = mbedtls_cipher_set_iv(ctx_e, iv.data(), iv.size()); - rc_d = mbedtls_cipher_set_iv(ctx_d, iv.data(), iv.size()); - if(rc_e == 0 && rc_d == 0) { - mbedtls_cipher_reset(ctx_e); - mbedtls_cipher_reset(ctx_d); - - rc_e = mbedtls_cipher_update(ctx_e, input.data(), input.size(), output, &output_size); - if(rc_e == 0) { - rc_e = mbedtls_cipher_finish(ctx_e, NULL, &output_size2); + + if(fuzzed_data.ConsumeBool()) { + rc_e = mbedtls_cipher_crypt(ctx_e, iv.data(), iv.size(), + input.data(), input.size(), output, &output_size); + } else { + rc_e = mbedtls_cipher_set_iv(ctx_e, iv.data(), iv.size()); + rc_d = mbedtls_cipher_set_iv(ctx_d, iv.data(), iv.size()); + if(rc_e == 0 && rc_d == 0) { + mbedtls_cipher_reset(ctx_e); + mbedtls_cipher_reset(ctx_d); + + rc_e = mbedtls_cipher_update(ctx_e, input.data(), input.size(), output, &output_size); if(rc_e == 0) { + rc_e = mbedtls_cipher_finish(ctx_e, NULL, &output_size2); + if(rc_e == 0) { - rc_d = mbedtls_cipher_update(ctx_d, output, output_size, decrypted, &decrypted_size); - if(rc_d == 0) { - rc_d = mbedtls_cipher_finish(ctx_d, NULL, &output_size2); - /* TODO: decryption doesn't work with no-aesni data path! - Note that with MASAN, aesni is always disabled */ + rc_d = mbedtls_cipher_update(ctx_d, output, output_size, decrypted, &decrypted_size); + if(rc_d == 0) { + rc_d = mbedtls_cipher_finish(ctx_d, NULL, &output_size2); + /* TODO: decryption doesn't work with no-aesni data path! + Note that with MASAN, aesni is always disabled */ #if 0 - if(rc_d == 0) { - assert(input.size() == decrypted_size); - assert(memcmp(input.data(), decrypted, decrypted_size) == 0); - } + if(rc_d == 0) { + assert(input.size() == decrypted_size); + assert(memcmp(input.data(), decrypted, decrypted_size) == 0); + } #endif + } } } } diff --git a/fuzz/fuzz_gcrypt_gcm.cpp b/fuzz/fuzz_gcrypt_gcm.cpp index debead9b4..3e0b85cca 100644 --- a/fuzz/fuzz_gcrypt_gcm.cpp +++ b/fuzz/fuzz_gcrypt_gcm.cpp @@ -20,13 +20,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int key_len, rc_e, rc_d; mbedtls_cipher_id_t cipher; unsigned char *tag; - int iv_len, tag_len, input_length, force_auth_tag_error; + int iv_len, tag_len, ad_len, input_length, force_auth_tag_error; /* No real memory allocations involved */ if(fuzzed_data.remaining_bytes() < 1 + 4 + 512 / 8 + 1 + 64 + /* iv */ 1 + /* tag_len */ + 1 + 17 + /* ad */ 1 + 64 + /* input */ 1 + /* force_auth_tag_error */ 1 /* useless data: to be able to add the check with assert */) @@ -50,6 +51,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { tag_len = fuzzed_data.ConsumeIntegralInRange(0, 17); tag = (unsigned char *)malloc(tag_len); + ad_len = fuzzed_data.ConsumeIntegralInRange(0, 17); + std::vectorad = fuzzed_data.ConsumeBytes(ad_len); + input_length = fuzzed_data.ConsumeIntegralInRange(16, 64); std::vectorinput = fuzzed_data.ConsumeBytes(input_length); output = (unsigned char *)malloc(input_length); @@ -71,7 +75,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { rc_e = mbedtls_gcm_crypt_and_tag(gcm_e_ctx, MBEDTLS_GCM_ENCRYPT, input.size(), iv.data(), iv.size(), - NULL, 0, /* TODO */ + ad.data(), ad.size(), input.data(), output, tag_len, tag); @@ -85,7 +89,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { rc_d = mbedtls_gcm_auth_decrypt(gcm_d_ctx, input.size(), iv.data(), iv.size(), - NULL, 0, /* TODO */ + ad.data(), ad.size(), tag, tag_len, output, decrypted); -- cgit v1.2.3