From: Guido Vranken Date: Fri, 23 Jun 2017 14:36:00 +0000 (+0200) Subject: Add list.c fuzzer X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3028e56e441668fe4a5f95a846154397a5407860;p=thirdparty%2Fopenvpn.git Add list.c fuzzer --- diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 67b06a70a..8b588af79 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -131,7 +131,8 @@ extra_PROGRAMS = \ openvpn-fuzzer-proxy openvpn-fuzzer-proxy-standalone \ openvpn-fuzzer-options openvpn-fuzzer-options-standalone \ openvpn-fuzzer-verify-cert openvpn-fuzzer-verify-cert-standalone \ - openvpn-fuzzer-buffer openvpn-fuzzer-buffer-standalone + openvpn-fuzzer-buffer openvpn-fuzzer-buffer-standalone \ + openvpn-fuzzer-list openvpn-fuzzer-list-standalone extradir = . fuzzer_sources = dummy.cpp fuzzer_cflags = \ @@ -184,15 +185,20 @@ openvpn_fuzzer_options_LDFLAGS = $(fuzzer_ldflags) openvpn_fuzzer_options_CFLAGS = $(fuzzer_cflags) openvpn_fuzzer_options_LDADD = $(fuzzer_ldadd) fuzzer-options.o libFuzzer.a +openvpn_fuzzer_verify_cert_SOURCES = $(fuzzer_sources) +openvpn_fuzzer_verify_cert_LDFLAGS = $(fuzzer_ldflags) +openvpn_fuzzer_verify_cert_CFLAGS = $(fuzzer_cflags) +openvpn_fuzzer_verify_cert_LDADD = $(fuzzer_ldadd) fuzzer-verify-cert.o libFuzzer.a + openvpn_fuzzer_buffer_SOURCES = $(fuzzer_sources) openvpn_fuzzer_buffer_LDFLAGS = $(fuzzer_ldflags) openvpn_fuzzer_buffer_CFLAGS = $(fuzzer_cflags) openvpn_fuzzer_buffer_LDADD = $(fuzzer_ldadd) fuzzer-buffer.o libFuzzer.a -openvpn_fuzzer_verify_cert_SOURCES = $(fuzzer_sources) -openvpn_fuzzer_verify_cert_LDFLAGS = $(fuzzer_ldflags) -openvpn_fuzzer_verify_cert_CFLAGS = $(fuzzer_cflags) -openvpn_fuzzer_verify_cert_LDADD = $(fuzzer_ldadd) fuzzer-verify-cert.o libFuzzer.a +openvpn_fuzzer_list_SOURCES = $(fuzzer_sources) +openvpn_fuzzer_list_LDFLAGS = $(fuzzer_ldflags) +openvpn_fuzzer_list_CFLAGS = $(fuzzer_cflags) +openvpn_fuzzer_list_LDADD = $(fuzzer_ldadd) fuzzer-list.o libFuzzer.a openvpn_fuzzer_base64_standalone_SOURCES = fuzzer-standalone-loader.c openvpn_fuzzer_base64_standalone_LDFLAGS = $(fuzzer_ldflags) @@ -233,3 +239,8 @@ openvpn_fuzzer_buffer_standalone_SOURCES = fuzzer-standalone-loader.c openvpn_fuzzer_buffer_standalone_LDFLAGS = $(fuzzer_ldflags) openvpn_fuzzer_buffer_standalone_CFLAGS = $(fuzzer_cflags) openvpn_fuzzer_buffer_standalone_LDADD = $(fuzzer_ldadd) fuzzer-buffer.o + +openvpn_fuzzer_list_standalone_SOURCES = fuzzer-standalone-loader.c +openvpn_fuzzer_list_standalone_LDFLAGS = $(fuzzer_ldflags) +openvpn_fuzzer_list_standalone_CFLAGS = $(fuzzer_cflags) +openvpn_fuzzer_list_standalone_LDADD = $(fuzzer_ldadd) fuzzer-list.o diff --git a/src/openvpn/fuzzer-list.c b/src/openvpn/fuzzer-list.c new file mode 100644 index 000000000..e4f763cfe --- /dev/null +++ b/src/openvpn/fuzzer-list.c @@ -0,0 +1,156 @@ +#include "config.h" +#include "syshead.h" + +#include "fuzzing.h" +#include "misc.h" +#include "list.h" + +#define SUBBUFFER_SIZE 256 + +static uint32_t +word_hash_function(const void *key, uint32_t iv) +{ + return hash_func(key, sizeof(key), iv); +} + +static bool +word_compare_function(const void *key1, const void *key2) +{ + return ((size_t)key1 & 0xFFF) == ((size_t)key1 & 0xFFF); +} + + +static void serialize_hash_element(struct hash_element* he) +{ + test_undefined_memory(&he->hash_value, sizeof(he->hash_value)); +} +static void serialize_hash_element_list(struct hash_element* list) +{ + while ( list ) + { + serialize_hash_element(list); + list = list->next; + } +} +static void serialize_hash_bucket(struct hash_bucket* buckets) +{ + if ( buckets->list ) + { + serialize_hash_element_list(buckets->list); + } +} +static void serialize_hash(struct hash* hash) +{ + test_undefined_memory(&hash->n_buckets, sizeof(hash->n_buckets)); + test_undefined_memory(&hash->n_elements, sizeof(hash->n_elements)); + test_undefined_memory(&hash->mask, sizeof(hash->mask)); + test_undefined_memory(&hash->iv, sizeof(hash->iv)); + if ( hash->buckets ) + { + serialize_hash_bucket(hash->buckets); + } +} + +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + return 1; +} +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + struct gc_arena gc; + struct hash* hash = NULL; + ssize_t i, generic_ssizet, generic_ssizet2, num_loops; + fuzzer_set_input((unsigned char*)data, size); + gc = gc_new(); + + FUZZER_GET_INTEGER(num_loops, 16); + for (i = 0; i < num_loops; i++) + { + FUZZER_GET_INTEGER(generic_ssizet, 7); + switch ( generic_ssizet ) + { + case 0: + if ( hash == NULL ) + { + int n_buckets; + uint32_t iv; + FUZZER_GET_INTEGER(generic_ssizet, 102400); + n_buckets = generic_ssizet; + FUZZER_GET_INTEGER(generic_ssizet, 4294967296); + iv = generic_ssizet; + hash = hash_init(generic_ssizet, iv, word_hash_function, word_compare_function); + } + break; + case 1: + if ( hash ) + { + hash_free(hash); + hash = NULL; + } + break; + case 2: + if ( hash ) + { + struct hash_iterator hi; + struct hash_element *he; + hash_iterator_init(hash, &hi); + while ((he = hash_iterator_next(&hi))) + { + void *w = he->value; + } + hash_iterator_free(&hi); + } + case 3: + if ( hash ) + { + void* key; + void* value; + FUZZER_GET_INTEGER(generic_ssizet, 4294967296); + key = (void*)generic_ssizet; + if ( !hash_lookup(hash, key) ) + { + FUZZER_GET_INTEGER(generic_ssizet, 4294967296); + value = (void*)generic_ssizet; + hash_add(hash, key, value, false); + } + } + break; + case 4: + if ( hash ) + { + hash_n_elements(hash); + } + break; + case 5: + if ( hash ) + { + hash_n_buckets(hash); + } + break; + case 6: + if ( hash ) + { + uint32_t hv; + FUZZER_GET_INTEGER(generic_ssizet, 4294967296); + hv = generic_ssizet; + hash_bucket(hash, hv); + } + break; + case 7: + if ( hash ) + { + void* key; + FUZZER_GET_INTEGER(generic_ssizet, 4294967296); + key = (void*)generic_ssizet; + hash_remove(hash, key); + } + break; + } + } +cleanup: + if ( hash ) + { + hash_free(hash); + } + return 0; +}