Fix overflow in rx_icmp

Makefile

@@ -81,6 +81,10 @@ fuzz: mongoose.c mongoose.h Makefile test/fuzz.c
 	$(CXX) test/fuzz.c $(OPTS) $(WARN) $(INCS) $(TFLAGS) $(ASAN) -o fuzzer
 	$(RUN) ./fuzzer
 
+fuzz2: mongoose.c mongoose.h Makefile test/fuzz.c
+	$(CC) test/fuzz.c test/packed_fs.c -DMAIN $(CFLAGS) -o fuzzer
+	$(RUN) ./fuzzer /tmp/fuzzdata
+
 test: Makefile mongoose.h $(SRCS)
 	$(CC) $(SRCS) $(CFLAGS) $(LDFLAGS) -o unit_test
 	ASAN_OPTIONS=$(ASAN_OPTIONS) $(RUN) ./unit_test

mip/mip.c

@@ -453,7 +453,7 @@ static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
     if (left > pkt->pay.len) left = pkt->pay.len;  // Don't overflow TX
     memset(icmp, 0, sizeof(*icmp));                // Set csum to 0
     memcpy(icmp + 1, pkt->pay.buf, left);          // Copy RX payload to TX
-    icmp->csum = ipcsum(icmp, sizeof(*icmp) + pkt->pay.len);
+    icmp->csum = ipcsum(icmp, sizeof(*icmp) + left);
     ifp->driver->tx(ifp->tx.buf, len + left, ifp->driver_data);
   }
 }

mongoose.c

@@ -90,9 +90,9 @@ int mg_base64_encode(const unsigned char *p, int n, char *to) {
 }
 
 int mg_base64_decode(const char *src, int n, char *dst) {
-  const char *end = src + n;
+  const char *end = src == NULL ? NULL : src + n;  // Cannot add to NULL
   int len = 0;
-  while (src + 3 < end) {
+  while (src != NULL && src + 3 < end) {
     int a = mg_b64rev(src[0]), b = mg_b64rev(src[1]), c = mg_b64rev(src[2]),
         d = mg_b64rev(src[3]);
     if (a == 64 || a < 0 || b == 64 || b < 0 || c < 0 || d < 0) return 0;
@@ -1542,7 +1542,7 @@ static void mg_http_parse_headers(const char *s, const char *end,
 
 int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
   int is_response, req_len = mg_http_get_request_len((unsigned char *) s, len);
-  const char *end = s + req_len, *qs;
+  const char *end = s == NULL ? NULL : s + req_len, *qs;  // Cannot add to NULL
   struct mg_str *cl;
 
   memset(hm, 0, sizeof(*hm));
@@ -1902,12 +1902,12 @@ static void printdirentry(const char *name, void *userdata) {
     }
 #if defined(MG_HTTP_DIRLIST_TIME)
     char time_str[30];
-    struct tm * time_info = localtime(&t);
+    struct tm *time_info = localtime(&t);
     strftime(time_str, sizeof time_str, "%Y/%m/%d %H:%M:%S", time_info);
     mg_snprintf(mod, sizeof(mod), "%s", time_str);
 #elif defined(MG_HTTP_DIRLIST_TIME_UTC)
     char time_str[30];
-    struct tm * time_info = gmtime(&t);
+    struct tm *time_info = gmtime(&t);
     strftime(time_str, sizeof time_str, "%Y/%m/%d %H:%M:%S", time_info);
     mg_snprintf(mod, sizeof(mod), "%s", time_str);
 #else
@@ -6715,10 +6715,10 @@ static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
                           sizeof(struct icmp) + pkt->pay.len);
     struct icmp *icmp = (struct icmp *) (ip + 1);
     size_t len = PDIFF(ifp->tx.buf, icmp + 1), left = ifp->tx.len - len;
-    if (left > pkt->pay.len) left = pkt->pay.len;
+    if (left > pkt->pay.len) left = pkt->pay.len;  // Don't overflow TX
-    memset(icmp, 0, sizeof(*icmp));  // Important - set csum to 0
+    memset(icmp, 0, sizeof(*icmp));                // Set csum to 0
-    memcpy(icmp + 1, pkt->pay.buf, left);
+    memcpy(icmp + 1, pkt->pay.buf, left);          // Copy RX payload to TX
-    icmp->csum = ipcsum(icmp, sizeof(*icmp) + pkt->pay.len);
+    icmp->csum = ipcsum(icmp, sizeof(*icmp) + left);
     ifp->driver->tx(ifp->tx.buf, len + left, ifp->driver_data);
   }
 }

src/base64.c

@@ -1,5 +1,5 @@
-#include "base64.h"
 #include "arch.h"
+#include "base64.h"
 
 static int mg_b64idx(int c) {
   if (c < 26) {
@@ -66,9 +66,9 @@ int mg_base64_encode(const unsigned char *p, int n, char *to) {
 }
 
 int mg_base64_decode(const char *src, int n, char *dst) {
-  const char *end = src + n;
+  const char *end = src == NULL ? NULL : src + n;  // Cannot add to NULL
   int len = 0;
-  while (src + 3 < end) {
+  while (src != NULL && src + 3 < end) {
     int a = mg_b64rev(src[0]), b = mg_b64rev(src[1]), c = mg_b64rev(src[2]),
         d = mg_b64rev(src[3]);
     if (a == 64 || a < 0 || b == 64 || b < 0 || c < 0 || d < 0) return 0;

src/http.c

@@ -1,7 +1,7 @@
-#include "http.h"
 #include "arch.h"
 #include "base64.h"
 #include "fmt.h"
+#include "http.h"
 #include "log.h"
 #include "net.h"
 #include "ssi.h"
@@ -202,7 +202,7 @@ static void mg_http_parse_headers(const char *s, const char *end,
 
 int mg_http_parse(const char *s, size_t len, struct mg_http_message *hm) {
   int is_response, req_len = mg_http_get_request_len((unsigned char *) s, len);
-  const char *end = s + req_len, *qs;
+  const char *end = s == NULL ? NULL : s + req_len, *qs;  // Cannot add to NULL
   struct mg_str *cl;
 
   memset(hm, 0, sizeof(*hm));
@@ -562,12 +562,12 @@ static void printdirentry(const char *name, void *userdata) {
     }
 #if defined(MG_HTTP_DIRLIST_TIME)
     char time_str[30];
-    struct tm * time_info = localtime(&t);
+    struct tm *time_info = localtime(&t);
     strftime(time_str, sizeof time_str, "%Y/%m/%d %H:%M:%S", time_info);
     mg_snprintf(mod, sizeof(mod), "%s", time_str);
 #elif defined(MG_HTTP_DIRLIST_TIME_UTC)
     char time_str[30];
-    struct tm * time_info = gmtime(&t);
+    struct tm *time_info = gmtime(&t);
     strftime(time_str, sizeof time_str, "%Y/%m/%d %H:%M:%S", time_info);
     mg_snprintf(mod, sizeof(mod), "%s", time_str);
 #else

test/fuzz.c

@@ -58,7 +58,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   mg_json_get(mg_str_n((char *) data, size), "$[0]", &n);
 
   if (size > 0) {
-    struct mip_cfg cfg = {};
+    struct mip_cfg cfg = {0};
     size_t pktlen = 1540;
     char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */];
     struct mip_if *ifp = (struct mip_if *) t;
@@ -85,3 +85,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   return 0;
 }
+
+#if defined(MAIN)
+int main(int argc, char *argv[]) {
+  if (argc > 1) {
+    size_t len = 0;
+    char *buf = mg_file_read(&mg_fs_posix, argv[1], &len);
+    if (buf != NULL) LLVMFuzzerTestOneInput((uint8_t *) buf, len);
+    free(buf);
+  }
+  return 0;
+}
+#endif