3 * @author Philippe Antoine <contact@catenacyber.fr>
4 * fuzz target for AppLayerProtoDetectGetProto
8 #include "suricata-common.h"
9 #include "app-layer-detect-proto.h"
10 #include "flow-util.h"
11 #include "app-layer-parser.h"
12 #include "util-unittest-helper.h"
17 //rule of thumb constant, so as not to timeout target
18 #define PROTO_DETECT_MAX_LEN 1024
20 int LLVMFuzzerTestOneInput(const uint8_t *data
, size_t size
);
22 AppLayerProtoDetectThreadCtx
*alpd_tctx
= NULL
;
24 int LLVMFuzzerTestOneInput(const uint8_t *data
, size_t size
)
32 if (size
< HEADER_LEN
) {
36 if (alpd_tctx
== NULL
) {
39 run_mode
= RUNMODE_UNITTEST
;
42 AppLayerProtoDetectSetup();
43 AppLayerParserSetup();
44 AppLayerParserRegisterProtocolParsers();
45 alpd_tctx
= AppLayerProtoDetectGetCtxThread();
48 f
= TestHelperBuildFlow(AF_INET
, "1.2.3.4", "5.6.7.8", (data
[2] << 8) | data
[3], (data
[4] << 8) | data
[5]);
53 memset(&ssn
, 0, sizeof(TcpSession
));
55 f
->protomap
= FlowGetProtoMapping(f
->proto
);
57 alproto
= AppLayerProtoDetectGetProto(alpd_tctx
, f
, data
+HEADER_LEN
, size
-HEADER_LEN
, f
->proto
, data
[0], &reverse
);
58 if (alproto
!= ALPROTO_UNKNOWN
&& alproto
!= ALPROTO_FAILED
&& f
->proto
== IPPROTO_TCP
) {
59 /* If we find a valid protocol :
60 * check that with smaller input
61 * we find the same protocol or ALPROTO_UNKNOWN.
62 * Otherwise, we have evasion with TCP splitting
64 for (size_t i
= 0; i
< size
-HEADER_LEN
&& i
< PROTO_DETECT_MAX_LEN
; i
++) {
65 alproto2
= AppLayerProtoDetectGetProto(alpd_tctx
, f
, data
+HEADER_LEN
, i
, f
->proto
, data
[0], &reverse
);
66 if (alproto2
!= ALPROTO_UNKNOWN
&& alproto2
!= alproto
) {
67 printf("Assertion failure : With input length %"PRIuMAX
", found %s instead of %s\n", (uintmax_t) i
, AppProtoToString(alproto2
), AppProtoToString(alproto
));