diff --git a/Makefile b/Makefile index 30fe0e46..2eb5f160 100644 --- a/Makefile +++ b/Makefile @@ -75,8 +75,10 @@ musl: RUN = $(DOCKER) mdashnet/cc1 unamalgamated: $(HDRS) Makefile test/packed_fs.c $(CC) src/*.c test/packed_fs.c test/unit_test.c $(CFLAGS) $(LDFLAGS) -g -o unit_test +fuzz: WARN += -Wno-deprecated -Wno-vla-extension +fuzz: ASAN = -fsanitize=fuzzer,signed-integer-overflow,address,undefined fuzz: mongoose.c mongoose.h Makefile test/fuzz.c - $(CXX) test/fuzz.c $(WARN) $(INCS) $(TFLAGS) -Wno-missing-field-initializers -fsanitize=fuzzer,signed-integer-overflow,address -Wno-deprecated -Wno-vla-extension -o fuzzer + $(CXX) test/fuzz.c $(OPTS) $(WARN) $(INCS) $(TFLAGS) $(ASAN) -o fuzzer $(RUN) ./fuzzer test: Makefile mongoose.h $(SRCS) diff --git a/mip/mip.c b/mip/mip.c index da897991..be3dbaff 100644 --- a/mip/mip.c +++ b/mip/mip.c @@ -444,7 +444,7 @@ static void rx_arp(struct mip_if *ifp, struct pkt *pkt) { static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) { // MG_DEBUG(("ICMP %d", (int) len)); - if (pkt->icmp->type == 8 && pkt->ip->dst == ifp->ip) { + if (pkt->icmp->type == 8 && pkt->ip != NULL && pkt->ip->dst == ifp->ip) { struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src, sizeof(struct icmp) + pkt->pay.len); struct icmp *icmp = (struct icmp *) (ip + 1); @@ -733,7 +733,7 @@ static void rx_ip6(struct mip_if *ifp, struct pkt *pkt) { if (pkt->pay.len < sizeof(*pkt->icmp)) return; mkpay(pkt, pkt->icmp + 1); rx_icmp(ifp, pkt); - } else if (pkt->ip->proto == 17) { + } else if (pkt->ip6->proto == 17) { pkt->udp = (struct udp *) (pkt->ip6 + 1); if (pkt->pay.len < sizeof(*pkt->udp)) return; // MG_DEBUG((" UDP %u %u -> %u", len, mg_htons(udp->sport), diff --git a/mongoose.c b/mongoose.c index 1fabc147..2c0249ee 100644 --- a/mongoose.c +++ b/mongoose.c @@ -6733,7 +6733,7 @@ static void rx_arp(struct mip_if *ifp, struct pkt *pkt) { static void rx_icmp(struct mip_if *ifp, struct pkt *pkt) { // MG_DEBUG(("ICMP %d", (int) len)); - if (pkt->icmp->type == 8 && pkt->ip->dst == ifp->ip) { + if (pkt->icmp->type == 8 && pkt->ip != NULL && pkt->ip->dst == ifp->ip) { struct ip *ip = tx_ip(ifp, 1, ifp->ip, pkt->ip->src, sizeof(struct icmp) + pkt->pay.len); struct icmp *icmp = (struct icmp *) (ip + 1); @@ -7022,7 +7022,7 @@ static void rx_ip6(struct mip_if *ifp, struct pkt *pkt) { if (pkt->pay.len < sizeof(*pkt->icmp)) return; mkpay(pkt, pkt->icmp + 1); rx_icmp(ifp, pkt); - } else if (pkt->ip->proto == 17) { + } else if (pkt->ip6->proto == 17) { pkt->udp = (struct udp *) (pkt->ip6 + 1); if (pkt->pay.len < sizeof(*pkt->udp)) return; // MG_DEBUG((" UDP %u %u -> %u", len, mg_htons(udp->sport), diff --git a/test/fuzz.c b/test/fuzz.c index 9fb9f1a1..0484bbb6 100644 --- a/test/fuzz.c +++ b/test/fuzz.c @@ -57,16 +57,30 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { mg_json_get(mg_str_n((char *) data, size), "$.a.b", &n); mg_json_get(mg_str_n((char *) data, size), "$[0]", &n); - struct mip_cfg cfg = {}; - size_t pktlen = 1540; - char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */]; - struct mip_if *ifp = (struct mip_if *) t; - struct mg_mgr mgr; - mg_mgr_init(&mgr); - if_init(ifp, &mgr, &cfg, &mip_driver_mock, NULL, pktlen, 0); - mip_rx(ifp, (void *) data, size); - mgr.priv = NULL; // Don't let Mongoose free() ifp - mg_mgr_free(&mgr); + if (size > 0) { + struct mip_cfg cfg = {}; + size_t pktlen = 1540; + char t[sizeof(struct mip_if) + pktlen * 2 + 0 /* qlen */]; + struct mip_if *ifp = (struct mip_if *) t; + struct mg_mgr mgr; + mg_mgr_init(&mgr); + if_init(ifp, &mgr, &cfg, &mip_driver_mock, NULL, pktlen, 0); + + // Make a copy of the random data, in order to modify it + uint8_t pkt[size]; + struct eth *eth = (struct eth *) pkt; + memcpy(pkt, data, size); + if (size > sizeof(*eth)) { + static uint8_t i; + uint16_t types[] = {0x800, 0x800, 0x806, 0x86dd}; + memcpy(eth->dst, ifp->mac, 6); // Set valid destination MAC + eth->type = mg_htons(types[i++ & 3]); + } + + mip_rx(ifp, (void *) pkt, size); + mgr.priv = NULL; // Don't let Mongoose free() ifp + mg_mgr_free(&mgr); + } return 0; }