From: Jouni Malinen <j@w1.fi>
Date: Sun, 2 Mar 2025 16:49:44 +0000 (+0200)
Subject: tests: Fuzzing tester for RADIUS message parsing
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7b8fc93a757d770bede539c8704b910ca95e96c;p=thirdparty%2Fhostap.git

tests: Fuzzing tester for RADIUS message parsing

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/tests/fuzzing/radius/.gitignore b/tests/fuzzing/radius/.gitignore
new file mode 100644
index 000000000..fa85644c1
--- /dev/null
+++ b/tests/fuzzing/radius/.gitignore
@@ -0,0 +1 @@
+radius
diff --git a/tests/fuzzing/radius/Makefile b/tests/fuzzing/radius/Makefile
new file mode 100644
index 000000000..76246ef0d
--- /dev/null
+++ b/tests/fuzzing/radius/Makefile
@@ -0,0 +1,29 @@
+ALL=radius
+include ../rules.include
+
+CFLAGS += -DCONFIG_IPV6
+
+LIBS += $(SRC)/common/libcommon.a
+LIBS += $(SRC)/crypto/libcrypto.a
+LIBS += $(SRC)/utils/libutils.a
+
+ELIBS += $(SRC)/crypto/libcrypto.a
+
+OBJS += $(SRC)/radius/radius.o
+
+OBJS += radius.o
+
+_OBJS_VAR := OBJS
+include ../../../src/objs.mk
+
+_OBJS_VAR := LIBS
+include ../../../src/objs.mk
+
+_OBJS_VAR := ELIBS
+include ../../../src/objs.mk
+
+radius: $(OBJS) $(LIBS)
+	$(LDO) $(LDFLAGS) -o $@ $^ $(LIBS) $(ELIBS)
+
+clean: common-clean
+	rm -f radius *~ *.o *.d ../*~ ../*.o ../*.d
diff --git a/tests/fuzzing/radius/corpus/access-accept-eap.bin b/tests/fuzzing/radius/corpus/access-accept-eap.bin
new file mode 100644
index 000000000..aa2bff682
Binary files /dev/null and b/tests/fuzzing/radius/corpus/access-accept-eap.bin differ
diff --git a/tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin b/tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin
new file mode 100644
index 000000000..5909d96f4
Binary files /dev/null and b/tests/fuzzing/radius/corpus/access-accept-tunnel-pw.bin differ
diff --git a/tests/fuzzing/radius/corpus/access-challenge-eap.bin b/tests/fuzzing/radius/corpus/access-challenge-eap.bin
new file mode 100644
index 000000000..d25f309c3
Binary files /dev/null and b/tests/fuzzing/radius/corpus/access-challenge-eap.bin differ
diff --git a/tests/fuzzing/radius/radius.c b/tests/fuzzing/radius/radius.c
new file mode 100644
index 000000000..34ca472a9
--- /dev/null
+++ b/tests/fuzzing/radius/radius.c
@@ -0,0 +1,60 @@
+/*
+ * hostapd - RADIUS fuzzer
+ * Copyright (c) 2025, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#include "utils/includes.h"
+
+#include "utils/common.h"
+#include "radius/radius.h"
+#include "../fuzzer-common.h"
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	struct radius_msg *msg, *sent_msg;
+	struct wpabuf *eap;
+	u8 buf[10];
+	int untagged;
+	const unsigned int num_tagged = 5;
+	int tagged[num_tagged];
+	char *pw;
+	int keylen;
+
+	wpa_fuzzer_set_debug_level();
+
+	if (os_program_init())
+		return 0;
+
+	sent_msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 123);
+	if (!sent_msg)
+		return -1;
+	radius_msg_finish(sent_msg, (const u8 *) "test", 4);
+
+	msg = radius_msg_parse(data, size);
+	if (msg) {
+		radius_msg_dump(msg);
+		radius_msg_get_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
+				    buf, sizeof(buf));
+		radius_msg_get_vlanid(msg, &untagged, num_tagged, tagged);
+		eap = radius_msg_get_eap(msg);
+		wpa_hexdump_buf(MSG_INFO, "EAP", eap);
+		wpabuf_free(eap);
+		pw = radius_msg_get_tunnel_password(msg, &keylen,
+						    (const u8 *) "test", 4,
+						    sent_msg, 1);
+		if (pw)
+			wpa_printf(MSG_INFO, "PW: %s", pw);
+		os_free(pw);
+		radius_msg_free(msg);
+	}
+
+	radius_msg_free(sent_msg);
+
+	os_program_deinit();
+
+	return 0;
+}