From 14d35a0854059d5b9a2c88ae8df350cbcc24e886 Mon Sep 17 00:00:00 2001
From: 0x34d <ajsinghyadav00@gmail.com>
Date: Sun, 9 Oct 2022 17:07:02 +0530
Subject: [PATCH] oss-fuzz and fuzzer files #551

Signed-off-by: 0x34d <ajsinghyadav00@gmail.com>
---
 README.md                                     |  11 ++
 configure.ac                                  |  16 +++
 tests/Makefile.am                             |   7 ++
 tests/build-fuzzer.sh                         |  30 +++++
 tests/decode.c                                | 105 +++++++++++-------
 tests/seed/fuzz-decode_seed_corpus/cdp.0.raw  | Bin 0 -> 120 bytes
 tests/seed/fuzz-decode_seed_corpus/cdp.1.raw  | Bin 0 -> 134 bytes
 tests/seed/fuzz-decode_seed_corpus/cdp.2.raw  | Bin 0 -> 300 bytes
 tests/seed/fuzz-decode_seed_corpus/cdp.3.raw  | Bin 0 -> 318 bytes
 tests/seed/fuzz-decode_seed_corpus/edp.0.raw  | Bin 0 -> 96 bytes
 tests/seed/fuzz-decode_seed_corpus/edp.1.raw  | Bin 0 -> 96 bytes
 tests/seed/fuzz-decode_seed_corpus/edp.2.raw  | Bin 0 -> 124 bytes
 tests/seed/fuzz-decode_seed_corpus/edp.3.raw  | Bin 0 -> 338 bytes
 tests/seed/fuzz-decode_seed_corpus/edp.4.raw  | Bin 0 -> 342 bytes
 tests/seed/fuzz-decode_seed_corpus/lldp.0.raw | Bin 0 -> 60 bytes
 tests/seed/fuzz-decode_seed_corpus/lldp.1.raw | Bin 0 -> 323 bytes
 .../seed/fuzz-decode_seed_corpus/sonmp.0.raw  | Bin 0 -> 33 bytes
 .../seed/fuzz-decode_seed_corpus/sonmp.1.raw  | Bin 0 -> 33 bytes
 .../seed/fuzz-decode_seed_corpus/sonmp.2.raw  | Bin 0 -> 60 bytes
 19 files changed, 131 insertions(+), 38 deletions(-)
 create mode 100644 tests/build-fuzzer.sh
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/cdp.0.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/cdp.1.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/cdp.2.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/cdp.3.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/edp.0.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/edp.1.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/edp.2.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/edp.3.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/edp.4.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/lldp.0.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/lldp.1.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/sonmp.0.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/sonmp.1.raw
 create mode 100644 tests/seed/fuzz-decode_seed_corpus/sonmp.2.raw

diff --git a/README.md b/README.md
index c57353ac..18fe2b87 100644
--- a/README.md
+++ b/README.md
@@ -368,6 +368,17 @@ To enable code coverage, use:
          --directory src --capture --output-file gcov.info
     genhtml gcov.info --output-directory coverage
 
+## Fuzzing
+libfuzzer:
+
+```
+export CC=clang
+export CXX=clang++
+
+sh ./tests/build.sh ASan
+sh ./tests/build.sh Run
+```
+
 ## Embedding
 
 To embed lldpd into an existing system, there are two point of entries:
diff --git a/configure.ac b/configure.ac
index 11ec21a8..9a028047 100644
--- a/configure.ac
+++ b/configure.ac
@@ -146,6 +146,21 @@ elif test x"$hardening" != x"no"; then
 fi
   ])
 
+#Fuzzer
+AC_ARG_ENABLE([fuzzer],
+  AS_HELP_STRING([--enable-fuzzer],
+    [Enable fuzzing @<:@default=no@:>@]),
+  [
+case "$enableval" in
+    no) fuzzer= ;;
+    yes) fuzzer="-fsanitize=fuzzer" ;;
+    *) fuzzer="$enableval" ;;
+esac
+if test x"$fuzzer" != x; then
+  AC_SUBST([FUZZENGINE], ["$fuzzer"])
+fi
+  ])
+
 # Code coverage
 AC_ARG_ENABLE([gcov],
   AS_HELP_STRING([--enable-gcov],
@@ -404,6 +419,7 @@ AC_SUBST([LLDP_CFLAGS])
 AC_SUBST([LLDP_CPPFLAGS])
 AC_SUBST([LLDP_LDFLAGS])
 AC_SUBST([LLDP_BIN_LDFLAGS])
+AM_CONDITIONAL([BUILD_FUZZER], [test x"$fuzzer" != x])
 AM_CONDITIONAL([HAVE_CHECK], [test x"$have_check" = x"yes"])
 AM_CONDITIONAL([USE_SNMP], [test x"$with_snmp" = x"yes"])
 AM_CONDITIONAL([USE_XML], [test x"$with_xml" = x"yes"])
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 34c99fd0..49951dc2 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -63,4 +63,11 @@ check_PROGRAMS += $(TESTS)
 
 endif
 
+if BUILD_FUZZER
+noinst_PROGRAMS = fuzz-decode
+fuzz-decode_CFLAGS=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fPIE
+fuzz-decode_SOURCES = decode.c
+fuzz-decode_LDADD = $(LDADD) $(FUZZENGINE)
+endif
+
 MOSTLYCLEANFILES = *.pcap
diff --git a/tests/build-fuzzer.sh b/tests/build-fuzzer.sh
new file mode 100644
index 00000000..aa287575
--- /dev/null
+++ b/tests/build-fuzzer.sh
@@ -0,0 +1,30 @@
+#!/bin/bash -eu
+
+build(){
+   export CFLAGS="$1"
+   export CXXFLAGS="$1"
+
+   ./autogen.sh
+   ./configure CC="$CC" CFLAGS="$CFLAGS" LDFLAGS="$CFLAGS" \
+      --enable-fuzzer=yes --disable-shared --disable-hardening --enable-pie
+
+   make -j$(nproc)
+   mkdir -p tests/seed/fuzz-decode_Corpus
+}
+
+run(){
+   cd tests
+   ./fuzz-decode seed/fuzz-decode_Corpus seed/fuzz-decode_seed_corpus
+}
+
+help(){
+   echo "use: ./$0 ASan | UBSan | MSan | Run"
+}
+
+case $1 in
+   ASan) build "-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" ;;
+   UBSan) build "-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -fsanitize=fuzzer-no-link" ;;
+   MSan) build "-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory -fsanitize-memory-track-origins -fsanitize=fuzzer-no-link" ;;
+   run) run $2 ;;
+   *) help ;;
+esac
diff --git a/tests/decode.c b/tests/decode.c
index 9f75cc65..6ab0829f 100644
--- a/tests/decode.c
+++ b/tests/decode.c
@@ -58,6 +58,69 @@ tohex(char *str, size_t len)
 		exit(5); \
 	}
 
+int decode(char *frame, int size,
+    struct lldpd_hardware *hardware, struct lldpd_chassis **nchassis, struct lldpd_port **nport) {
+	/* For decoding, we only need a very basic hardware */
+	memset(hardware, 0, sizeof(struct lldpd_hardware));
+	hardware->h_mtu = 1500;
+	strlcpy(hardware->h_ifname, "test", sizeof(hardware->h_ifname));
+
+	int decoded = 0;
+	if (lldp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a LLDP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a LLDP frame\n");
+		decoded = 1;
+	}
+#if defined ENABLE_CDP || defined ENABLE_FDP
+	if (cdp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a CDP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a CDP frame\n");
+		decoded = 1;
+	}
+#endif
+#ifdef ENABLE_SONMP
+	if (sonmp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a SONMP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a SONMP frame\n");
+		decoded = 1;
+	}
+#endif
+#ifdef ENABLE_EDP
+	if (edp_decode(NULL, frame, size, hardware, nchassis, nport) == -1) {
+		fprintf(stderr, "Not decoded as a EDP frame\n");
+	} else {
+		fprintf(stderr, "Decoded as a EDP frame\n");
+		decoded = 1;
+	}
+#endif
+	return decoded;
+}
+
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+
+#define kMinInputLength 30
+#define kMaxInputLength 1500
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	if (size < kMinInputLength || size > kMaxInputLength){
+		return 0;
+	}
+	struct lldpd_hardware hardware;
+	struct lldpd_chassis *nchassis = NULL;
+	struct lldpd_port *nport = NULL;
+	if (!decode((char*)data, (int)size, &hardware, &nchassis, &nport)) {
+		return -1;
+	}
+	lldpd_port_cleanup(nport, 1); free(nport);
+	lldpd_chassis_cleanup(nchassis, 1);
+	return 0;
+}
+
+#else
+
 int
 main(int argc, char **argv)
 {
@@ -87,47 +150,11 @@ main(int argc, char **argv)
 	memcpy(&rechdr, buf + sizeof(hdr), sizeof(rechdr));
 	assert(len >= sizeof(hdr) + sizeof(rechdr) + rechdr.incl_len);
 
-	/* For decoding, we only need a very basic hardware */
 	struct lldpd_hardware hardware;
-	memset(&hardware, 0, sizeof(struct lldpd_hardware));
-	hardware.h_mtu = 1500;
-	strlcpy(hardware.h_ifname, "test", sizeof(hardware.h_ifname));
-
-	char *frame = buf + sizeof(hdr) + sizeof(rechdr);
 	struct lldpd_chassis *nchassis = NULL;
 	struct lldpd_port *nport = NULL;
-	int decoded = 0;
-	if (lldp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a LLDP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a LLDP frame\n");
-		decoded = 1;
-	}
-#if defined ENABLE_CDP || defined ENABLE_FDP
-	if (cdp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a CDP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a CDP frame\n");
-		decoded = 1;
-	}
-#endif
-#ifdef ENABLE_SONMP
-	if (sonmp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a SONMP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a SONMP frame\n");
-		decoded = 1;
-	}
-#endif
-#ifdef ENABLE_EDP
-	if (edp_decode(NULL, frame, rechdr.incl_len, &hardware, &nchassis, &nport) == -1) {
-		fprintf(stderr, "Not decoded as a EDP frame\n");
-	} else {
-		fprintf(stderr, "Decoded as a EDP frame\n");
-		decoded = 1;
-	}
-#endif
-	if (!decoded) exit(1);
+	if (!decode(buf + sizeof(hdr) + sizeof(rechdr), rechdr.incl_len, &hardware, &nchassis, &nport))
+		exit(1);
 
 	printf("Chassis:\n");
 	printf(" Index: %" PRIu16 "\n", nchassis->c_index);
@@ -245,3 +272,5 @@ main(int argc, char **argv)
 #endif
 	exit(0);
 }
+
+#endif
diff --git a/tests/seed/fuzz-decode_seed_corpus/cdp.0.raw b/tests/seed/fuzz-decode_seed_corpus/cdp.0.raw
new file mode 100644
index 0000000000000000000000000000000000000000..b5dad7c645356a299d2f567164c7ba5d132d8d27
GIT binary patch
literal 120
zc-muR;5l>VOq@X9^Om&?S*untGcfQdFfeYh`p&?}An2A^R9vEvoRL^uoLS7k#30DP
zz`)4Jc!q&xjbNWD12cn&TVipEYe`0GQC@0^f}y@C0}BHOP>~=5D}%T*M4v)RYH@N=
TW<g12ejWoG1E)`BUTFmY=|>=1

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/cdp.1.raw b/tests/seed/fuzz-decode_seed_corpus/cdp.1.raw
new file mode 100644
index 0000000000000000000000000000000000000000..68fca42c2fb84ab887dcb45388ff27f124a1c03b
GIT binary patch
literal 134
zc-muR;5l>VOq@X9^Om&?6{}V;GcfQdFfeU7k<P%#AQYUMoS&DXkercNT%1|Vz{DWM
zz`(%7$asc<WsP8;3XGw~z|0`wo|&GQlv$$ST9T1kl$TnfV5)Dyz{0=*)FH{h${_9x
bF+?FHwK%ybv!En1KaYWpfzu~5ue1UH<pm^U

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/cdp.2.raw b/tests/seed/fuzz-decode_seed_corpus/cdp.2.raw
new file mode 100644
index 0000000000000000000000000000000000000000..691ca4aab6d890d836faacc4422b824591a6f8c5
GIT binary patch
literal 300
zc-lpdO-jQ+7>2*GwMeK!7jDb9Odu(l214Vmgb0OdBq@r^IGr{@^TT9H$&I9I58wf^
zEx6Mocm${I!sYwRL!jTbE&L4k`)e}X?K%K`1oH9y3j}%*g)<lc03oD>?&rHkpaYkI
zOt~nyw4n<ZDjmQ%eEC_;N}Lt)7;Q`Oiebe?BC}$RaZ^j4V_dG}HW3`PSs0@(a|5Ys
z+yB1qAGCG<Y|RZ5AGxTrvOr2lW1WtT2NR=U9!%o^<M4LzG>rn(SBx5(UsjFC)~Q6D
zsZVd>TGaC<_|hOda-9HbQvtG(s^?Yq#+SI*aI_ukE)kY$+wP6y95&0ErHV&F53Wvo
Hg+>1W>DyG3

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/cdp.3.raw b/tests/seed/fuzz-decode_seed_corpus/cdp.3.raw
new file mode 100644
index 0000000000000000000000000000000000000000..2af7e8ca05581317bf30ea60cba27649d5cd4df7
GIT binary patch
literal 318
zc-lo!!A^rf6nvCwOl@Ksf8gDOq|}AzqTY}|(nNy+QoT~T1)>GAtRehT<I%4$-25Sz
z_Tam{$;^8*qrkN9`ya@C0EO)LD!>$B^c`P;0vBAYGb&gkhzTd~>lRH~;j$ErmrS%3
zf5)I^JP}2iVbnE(?J%mgqD?r%$ufvg6FVJki;#a@bBEn{F`o4~t{88MszlRTSlSJh
zNa#IzPUK+}`0=X~dZ=wvQ=hn1-SHyJ1!}2|=KUQt<P{s&9i|6Y$M?-#+DjLbzN?E5
zw!t|6M2i|u%?-)6%!gY#XzDiEFgS(TQ7j$N)msQ7n1Sp;QF<7EJ=!X$aOo$F@I-!y
POs)xx;S7d3myP@Z=|NUa

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/edp.0.raw b/tests/seed/fuzz-decode_seed_corpus/edp.0.raw
new file mode 100644
index 0000000000000000000000000000000000000000..42a6dbc550b84fe9f3fbd125c92d274f0a309e1c
GIT binary patch
literal 96
zc-mulpv}O*5GT<0yk#vz(5h9;3_yY1j0_B3_mmjmGBX(&gxoTVic1udGZKr7Gm9B!
aGBKzCrI{I^fSrvc`9BaaAc2_-3@iX5q!)hx

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/edp.1.raw b/tests/seed/fuzz-decode_seed_corpus/edp.1.raw
new file mode 100644
index 0000000000000000000000000000000000000000..5febdc59fd0fddbddef69db847b31eaa312cd506
GIT binary patch
literal 96
zc-mulpv}O*5GT<0yk#vz(5h9;3_yY1j0_B3_Y@eIU@|iq8HC(2i;7DWk~0#Ei!+NE
bW->9T05vi*Kmj`&OY(mpU_b&h85mdqBA^$4

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/edp.2.raw b/tests/seed/fuzz-decode_seed_corpus/edp.2.raw
new file mode 100644
index 0000000000000000000000000000000000000000..05fbb8d08b00e6db9e7440c9ed279fa357a36748
GIT binary patch
literal 124
zc-mulpv}O*5GT<0yk#vz-l|p13_yY1j0_BE8b=tIVKOsW8Ki;A<}yHmTV_#li9(o<
mqaOoMN``@f<vvU*I5jyxF9j|K)W-A_CKr;CSp<^;>Hz?Cvm2KH

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/edp.3.raw b/tests/seed/fuzz-decode_seed_corpus/edp.3.raw
new file mode 100644
index 0000000000000000000000000000000000000000..7b0ca07db4948cc4ddf6984f3b2440ad4a190282
GIT binary patch
literal 338
zc-mulpv?dTEYnzB@)=!Ltzu>X3hZWNV6<Vq&&&^#naRYU!hi(W*;p9<|7Sn}GZ`6K
z@=^^<4GfFR^&-FkRRMD~m};oxee)j(8kToM%oOLSd-{lh;T;eFc}$I)BtL-YhNbBW
sAhCv5J!^n`Mvxd-J;cSN0J8KoENRnuhXz36U>af;2aFE`GlAg+0RMPQc>n+a

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/edp.4.raw b/tests/seed/fuzz-decode_seed_corpus/edp.4.raw
new file mode 100644
index 0000000000000000000000000000000000000000..e8dfefb3b32b3a85a9b89b2a81fcad06abed1370
GIT binary patch
literal 342
zc-mulpv?dTEYnzB@)<o=tzu>X3hZWNV00*EVHSYN%w%OqX<%SrWPk#f)U?FXoDv4-
z#Js%x5{2T#vQ&knqRf=^RD~3XltM|qLSC7IhH8o?7XyP|K1@0-zeu6Dv>>&}3C#D*
zD=tw`O#zt+vV#E$_$DTY<s|00WELmqm!%dlPy;~yVFY4x88O&9rsQVkIT<lf6U+pL
F834o;Fqr@V

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/lldp.0.raw b/tests/seed/fuzz-decode_seed_corpus/lldp.0.raw
new file mode 100644
index 0000000000000000000000000000000000000000..21002a7e04ed96cc37b44792a0be27e7ecbf4647
GIT binary patch
literal 60
pc-muZIK;rf#~^-jh3USIGfeC(VCH@nc4iR6jERkjp@IPi006ib3J?GQ

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/lldp.1.raw b/tests/seed/fuzz-decode_seed_corpus/lldp.1.raw
new file mode 100644
index 0000000000000000000000000000000000000000..279e239368a376b4c3ddb94a37273289342f336e
GIT binary patch
literal 323
zc-m!-J5Iw;5JktaV<%2XEc25P#YogK^B(@DL6LDq93mV(9g0LGkcfkVEt!szZLkR%
zI%<}{8d$;;4^knnrZ{tMbCsuefDUYJ@4vi0f7A?Zg_@zRK(9e%?&Q;DSuC8(|7jl%
zZ}YN3?)VOmdb~HCU;8fZG0f62W@V1)^buJgug|=`8{pX_MotuA75Z1c+tFYbHmr7C
zF~7#gH2_edq0NdL5>2qXsv-^iqN3iZU<qBKR{s<R*l$0j=t`)Mj-rSKVH6M-Eh%&g
zi5N#=%g6Y;PFT`47<nP5&?C7;Y)aD{B{9Z}`F&Z;mJgT>GO;eTIX<~aPSe38!SmsP
PM`BIN79-*mFirs9YvxWy

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/sonmp.0.raw b/tests/seed/fuzz-decode_seed_corpus/sonmp.0.raw
new file mode 100644
index 0000000000000000000000000000000000000000..438c7714287112f65def000ea8016ca55ab5be57
GIT binary patch
literal 33
oc-muRXk=hyh!g00-m;cKc-1Oq28Kq)MQa56R2djp7<rf(0g*EYs{jB1

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/sonmp.1.raw b/tests/seed/fuzz-decode_seed_corpus/sonmp.1.raw
new file mode 100644
index 0000000000000000000000000000000000000000..79901072f1b446bd5dc41cf6f32b76a5ff458a54
GIT binary patch
literal 33
oc-muRXk=hyj1%a4-m;cKc-1Oq28Kq)g=+-+R2djp7<rf(0g*!os{jB1

literal 0
Hc-jL100001

diff --git a/tests/seed/fuzz-decode_seed_corpus/sonmp.2.raw b/tests/seed/fuzz-decode_seed_corpus/sonmp.2.raw
new file mode 100644
index 0000000000000000000000000000000000000000..7681634bb08d27be5dc4f322b0ca2402f529b1b8
GIT binary patch
literal 60
rc-muRXk=hyV31bj2ykZ*UbTvufuWIc(Heo&6%0%q7CcNqIh+6h0-Xj6

literal 0
Hc-jL100001

-- 
2.39.5