fuzz: make targets more resitant to allocation failures

author Philippe Antoine <pantoine@oisf.net>

Wed, 17 May 2023 12:33:16 +0000 (14:33 +0200)

committer Philippe Antoine <pantoine@oisf.net>

Wed, 17 May 2023 13:20:11 +0000 (15:20 +0200)
author Philippe Antoine <pantoine@oisf.net>
Wed, 17 May 2023 12:33:16 +0000 (14:33 +0200)
committer Philippe Antoine <pantoine@oisf.net>
Wed, 17 May 2023 13:20:11 +0000 (15:20 +0200)
diff --git a/src/tests/fuzz/fuzz_applayerparserparse.c b/src/tests/fuzz/fuzz_applayerparserparse.c

index 3952c953a5682d842ea00821b7b39af77087a7ed..ac8dc0368581690600e7646146be4c68fb7a5cf7 100644 (file)
--- a/src/tests/fuzz/fuzz_applayerparserparse.c
+++ b/src/tests/fuzz/fuzz_applayerparserparse.c
@@ -36,6 +36,7 @@ AppLayerParserThreadCtx *alp_tctx = NULL;
  const uint8_t separator[] = {0x01, 0xD5, 0xCA, 0x7A};
  SCInstance surifuzz;
  AppProto forceLayer = 0;
+SC_ATOMIC_EXTERN(unsigned int, engine_stage);
  
  int LLVMFuzzerInitialize(int *argc, char ***argv)
  {
@@ -75,10 +76,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
      // otherwise overflows do not fail as they read the next packet
      uint8_t * isolatedBuffer;
  
-    if (size < HEADER_LEN) {
-        return 0;
-    }
-
      if (alp_tctx == NULL) {
          //Redirects logs to /dev/null
          setenv("SC_LOG_OP_IFACE", "file", 0);
@@ -97,6 +94,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
  
          PostConfLoadedSetup(&surifuzz);
          alp_tctx = AppLayerParserThreadCtxAlloc();
+        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
+    }
+
+    if (size < HEADER_LEN) {
+        return 0;
      }
  
      if (data[0] >= ALPROTO_MAX) {
@@ -149,7 +151,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
              // only if we have some data
              isolatedBuffer = malloc(alnext - albuffer);
              if (isolatedBuffer == NULL) {
-                return 0;
+                goto bail;
              }
              memcpy(isolatedBuffer, albuffer, alnext - albuffer);
              (void) AppLayerParserParse(NULL, alp_tctx, f, f->alproto, flags, isolatedBuffer, alnext - albuffer);
@@ -192,13 +194,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
          flags |= STREAM_EOF;
          isolatedBuffer = malloc(alsize);
          if (isolatedBuffer == NULL) {
-            return 0;
+            goto bail;
          }
          memcpy(isolatedBuffer, albuffer, alsize);
          (void) AppLayerParserParse(NULL, alp_tctx, f, f->alproto, flags, isolatedBuffer, alsize);
          free(isolatedBuffer);
      }
  
+bail:
      FLOWLOCK_UNLOCK(f);
      FlowFree(f);
  
diff --git a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c

index 8e2da4b27b9abe20fd1bc9a38f5ecb896d8c5af5..598e7cc03ff6df85c7ea4aa34075067583078427 100644 (file)
--- a/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c
+++ b/src/tests/fuzz/fuzz_applayerprotodetectgetproto.c
@@ -23,6 +23,7 @@
  int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
  
  AppLayerProtoDetectThreadCtx *alpd_tctx = NULL;
+SC_ATOMIC_EXTERN(unsigned int, engine_stage);
  
  int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
  {
@@ -32,10 +33,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
      AppProto alproto;
      AppProto alproto2;
  
-    if (size < HEADER_LEN) {
-        return 0;
-    }
-
      if (alpd_tctx == NULL) {
          //global init
          InitGlobal();
@@ -50,6 +47,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
          AppLayerParserSetup();
          AppLayerParserRegisterProtocolParsers();
          alpd_tctx = AppLayerProtoDetectGetCtxThread();
+        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
+    }
+
+    if (size < HEADER_LEN) {
+        return 0;
      }
  
      f = TestHelperBuildFlow(AF_INET, "1.2.3.4", "5.6.7.8", (uint16_t)((data[2] << 8) | data[3]),
diff --git a/src/tests/fuzz/fuzz_decodepcapfile.c b/src/tests/fuzz/fuzz_decodepcapfile.c

index c4f2266a6560f7d1e58cb56d1242de43526e4c23..dbe042206f27a58162182ba999741e5f1fdd1dc4 100644 (file)
--- a/src/tests/fuzz/fuzz_decodepcapfile.c
+++ b/src/tests/fuzz/fuzz_decodepcapfile.c
@@ -31,6 +31,7 @@ pcap-file:\n\
  
  ThreadVars *tv;
  DecodeThreadVars *dtv;
+SC_ATOMIC_EXTERN(unsigned int, engine_stage);
  
  int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
  {
@@ -80,6 +81,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
          extern uint16_t max_pending_packets;
          max_pending_packets = 128;
          PacketPoolInit();
+        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
  
          initialized = 1;
      }
diff --git a/src/tests/fuzz/fuzz_predefpcap_aware.c b/src/tests/fuzz/fuzz_predefpcap_aware.c

index de0aa45f256be1977d0c9a361f90e77b24f1655d..c20e3d341d527df67f03198986217c4158ab4031 100644 (file)
--- a/src/tests/fuzz/fuzz_predefpcap_aware.c
+++ b/src/tests/fuzz/fuzz_predefpcap_aware.c
@@ -40,6 +40,7 @@ DecodeThreadVars *dtv;
  // FlowWorkerThreadData
  void *fwd;
  SCInstance surifuzz;
+SC_ATOMIC_EXTERN(unsigned int, engine_stage);
  
  #include "confyaml.c"
  
@@ -103,6 +104,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
              return 0;
          }
  
+        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
          initialized = 1;
      }
  
@@ -117,7 +119,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
      // loop over packets
      r = FPC_next(&pkts, &header, &pkt);
      p = PacketGetFromAlloc();
-    if (r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
+    if (p == NULL || r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
          goto bail;
      }
      p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
@@ -154,7 +156,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
          p->pkt_src = PKT_SRC_WIRE;
      }
  bail:
-    PacketFree(p);
+    if (p != NULL) {
+        PacketFree(p);
+    }
      FlowReset();
  
      return 0;
diff --git a/src/tests/fuzz/fuzz_sigpcap.c b/src/tests/fuzz/fuzz_sigpcap.c

index dfebd1f5f6da63f67cb555b6db795bd9192299fe..e5bd56deb476ca18f16b36af8468a56371e4f19d 100644 (file)
--- a/src/tests/fuzz/fuzz_sigpcap.c
+++ b/src/tests/fuzz/fuzz_sigpcap.c
@@ -40,6 +40,7 @@ DecodeThreadVars *dtv;
  //FlowWorkerThreadData
  void *fwd;
  SCInstance surifuzz;
+SC_ATOMIC_EXTERN(unsigned int, engine_stage);
  
  #include "confyaml.c"
  
@@ -92,6 +93,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
          extern uint16_t max_pending_packets;
          max_pending_packets = 128;
          PacketPoolInit();
+        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
          initialized = 1;
      }
  
diff --git a/src/tests/fuzz/fuzz_sigpcap_aware.c b/src/tests/fuzz/fuzz_sigpcap_aware.c

index 61e8c22c3ca33ea61fad7718d86fb9cda6557365..d2454769859b43b853e416eaecc47cdfda9f9830 100644 (file)
--- a/src/tests/fuzz/fuzz_sigpcap_aware.c
+++ b/src/tests/fuzz/fuzz_sigpcap_aware.c
@@ -40,6 +40,7 @@ DecodeThreadVars *dtv;
  // FlowWorkerThreadData
  void *fwd;
  SCInstance surifuzz;
+SC_ATOMIC_EXTERN(unsigned int, engine_stage);
  
  #include "confyaml.c"
  
@@ -118,6 +119,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
          extern uint16_t max_pending_packets;
          max_pending_packets = 128;
          PacketPoolInit();
+        SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
          initialized = 1;
      }
author	Philippe Antoine <pantoine@oisf.net>
	Wed, 17 May 2023 12:33:16 +0000 (14:33 +0200)
committer	Philippe Antoine <pantoine@oisf.net>
	Wed, 17 May 2023 13:20:11 +0000 (15:20 +0200)
src/tests/fuzz/fuzz_applayerparserparse.c		patch \| blob \| blame \| history
src/tests/fuzz/fuzz_applayerprotodetectgetproto.c		patch \| blob \| blame \| history
src/tests/fuzz/fuzz_decodepcapfile.c		patch \| blob \| blame \| history
src/tests/fuzz/fuzz_predefpcap_aware.c		patch \| blob \| blame \| history
src/tests/fuzz/fuzz_sigpcap.c		patch \| blob \| blame \| history
src/tests/fuzz/fuzz_sigpcap_aware.c		patch \| blob \| blame \| history