Optimize fuzzer

This commit is contained in:
cpq 2022-09-25 10:19:17 +01:00
parent 89f2e66c80
commit c409cca20e
4 changed files with 31 additions and 15 deletions

View File

@ -75,8 +75,10 @@ musl: RUN = $(DOCKER) mdashnet/cc1
unamalgamated: $(HDRS) Makefile test/packed_fs.c
$(CC) src/*.c test/packed_fs.c test/unit_test.c $(CFLAGS) $(LDFLAGS) -g -o unit_test
fuzz: WARN += -Wno-deprecated -Wno-vla-extension
fuzz: ASAN = -fsanitize=fuzzer,signed-integer-overflow,address,undefined
fuzz: mongoose.c mongoose.h Makefile test/fuzz.c
$(CXX) test/fuzz.c $(WARN) $(INCS) $(TFLAGS) -Wno-missing-field-initializers -fsanitize=fuzzer,signed-integer-overflow,address -Wno-deprecated -Wno-vla-extension -o fuzzer
$(CXX) test/fuzz.c $(OPTS) $(WARN) $(INCS) $(TFLAGS) $(ASAN) -o fuzzer
$(RUN) ./fuzzer
test: Makefile mongoose.h $(SRCS)

View File

@ -444,7 +444,7 @@ static void rx_arp(struct mip_if *ifp, struct pkt *pkt) {
static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
// MG_DEBUG(("ICMP %d", (int) len));
if (pkt->icmp->type == 8 && pkt->ip->dst == ifp->ip) {
if (pkt->icmp->type == 8 && pkt->ip != NULL && pkt->ip->dst == ifp->ip) {
struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src,
sizeof(struct icmp) + pkt->pay.len);
struct icmp *icmp = (struct icmp *) (ip + 1);
@ -733,7 +733,7 @@ static void rx_ip6(struct mip_if *ifp, struct pkt *pkt) {
if (pkt->pay.len < sizeof(*pkt->icmp)) return;
mkpay(pkt, pkt->icmp + 1);
rx_icmp(ifp, pkt);
} else if (pkt->ip->proto == 17) {
} else if (pkt->ip6->proto == 17) {
pkt->udp = (struct udp *) (pkt->ip6 + 1);
if (pkt->pay.len < sizeof(*pkt->udp)) return;
// MG_DEBUG((" UDP %u %u -> %u", len, mg_htons(udp->sport),

View File

@ -6733,7 +6733,7 @@ static void rx_arp(struct mip_if *ifp, struct pkt *pkt) {
static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) {
// MG_DEBUG(("ICMP %d", (int) len));
if (pkt->icmp->type == 8 && pkt->ip->dst == ifp->ip) {
if (pkt->icmp->type == 8 && pkt->ip != NULL && pkt->ip->dst == ifp->ip) {
struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src,
sizeof(struct icmp) + pkt->pay.len);
struct icmp *icmp = (struct icmp *) (ip + 1);
@ -7022,7 +7022,7 @@ static void rx_ip6(struct mip_if *ifp, struct pkt *pkt) {
if (pkt->pay.len < sizeof(*pkt->icmp)) return;
mkpay(pkt, pkt->icmp + 1);
rx_icmp(ifp, pkt);
} else if (pkt->ip->proto == 17) {
} else if (pkt->ip6->proto == 17) {
pkt->udp = (struct udp *) (pkt->ip6 + 1);
if (pkt->pay.len < sizeof(*pkt->udp)) return;
// MG_DEBUG((" UDP %u %u -> %u", len, mg_htons(udp->sport),

View File

@ -57,16 +57,30 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
mg_json_get(mg_str_n((char *) data, size), "$.a.b", &n);
mg_json_get(mg_str_n((char *) data, size), "$[0]", &n);
struct mip_cfg cfg = {};
size_t pktlen = 1540;
char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */];
struct mip_if *ifp = (struct mip_if *) t;
struct mg_mgr mgr;
mg_mgr_init(&mgr);
if_init(ifp, &mgr, &cfg, &mip_driver_mock, NULL, pktlen, 0);
mip_rx(ifp, (void *) data, size);
mgr.priv = NULL; // Don't let Mongoose free() ifp
mg_mgr_free(&mgr);
if (size > 0) {
struct mip_cfg cfg = {};
size_t pktlen = 1540;
char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */];
struct mip_if *ifp = (struct mip_if *) t;
struct mg_mgr mgr;
mg_mgr_init(&mgr);
if_init(ifp, &mgr, &cfg, &mip_driver_mock, NULL, pktlen, 0);
// Make a copy of the random data, in order to modify it
uint8_t pkt[size];
struct eth *eth = (struct eth *) pkt;
memcpy(pkt, data, size);
if (size > sizeof(*eth)) {
static uint8_t i;
uint16_t types[] = {0x800, 0x800, 0x806, 0x86dd};
memcpy(eth->dst, ifp->mac, 6); // Set valid destination MAC
eth->type = mg_htons(types[i++ & 3]);
}
mip_rx(ifp, (void *) pkt, size);
mgr.priv = NULL; // Don't let Mongoose free() ifp
mg_mgr_free(&mgr);
}
return 0;
}