From f48e573e4f9e1e9c6e6a009648add8b436d66c11 Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@gmail.com>
Date: Fri, 11 Aug 2017 02:58:13 +0200
Subject: [PATCH] fuzzer-forward.c: add comments, refactor code in multiple
 functions for more readability, use gc instead of malloc

---
 src/openvpn/fuzzer-forward.c | 150 +++++++++++++++++++++++------------
 1 file changed, 99 insertions(+), 51 deletions(-)

diff --git a/src/openvpn/fuzzer-forward.c b/src/openvpn/fuzzer-forward.c
index 50e6793a7..0aaf74efc 100644
--- a/src/openvpn/fuzzer-forward.c
+++ b/src/openvpn/fuzzer-forward.c
@@ -10,34 +10,20 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
 {
     return 1;
 }
-int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+
+static int _init_options(struct options* options, struct client_nat_entry** cne, struct gc_arena *gc)
 {
-    struct gc_arena gc;
-    struct buffer buf;
-    struct client_nat_entry* cne[MAX_CLIENT_NAT];
     ssize_t num_loops, generic_ssizet;
-    unsigned int generic_uint, flags;
     size_t n;
-    counter_type counter;
-    struct context ctx;
-    struct tuntap tuntap;
-    struct route_list route_list;
-    struct link_socket link_socket;
-    struct link_socket_actual to_link_addr;
 
-    memset(cne, 0, sizeof(cne));
-
-    fuzzer_set_input((unsigned char*)data, size);
-    gc = gc_new();
-    memset(&buf, 0, sizeof(buf));
     FUZZER_GET_INTEGER(generic_ssizet, 1);
     switch ( generic_ssizet )
     {
         case 0:
-            ctx.options.ce.mssfix = 0;
+            options->ce.mssfix = 0;
             break;
         case 1:
-            ctx.options.ce.mssfix = 1;
+            options->ce.mssfix = 1;
             break;
     }
 
@@ -45,10 +31,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     switch ( generic_ssizet )
     {
         case 0:
-            ctx.options.passtos = false;
+            options->passtos = false;
             break;
         case 1:
-            ctx.options.passtos = true;
+            options->passtos = true;
             break;
     }
 
@@ -56,10 +42,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     switch ( generic_ssizet )
     {
         case 0:
-            ctx.options.mode = MODE_POINT_TO_POINT;
+            options->mode = MODE_POINT_TO_POINT;
             break;
         case 1:
-            ctx.options.mode = MODE_SERVER;
+            options->mode = MODE_SERVER;
             break;
     }
 
@@ -67,71 +53,94 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     switch ( generic_ssizet )
     {
         case 0:
-            ctx.options.allow_recursive_routing= true;
+            options->allow_recursive_routing= true;
             break;
         case 1:
-            ctx.options.allow_recursive_routing = false;
+            options->allow_recursive_routing = false;
             break;
     }
 
-    ctx.options.client_nat = new_client_nat_list(&gc);
+    options->client_nat = new_client_nat_list(gc);
 
     FUZZER_GET_INTEGER(num_loops, MAX_CLIENT_NAT);
     for (n = 0; n < num_loops; n++) {
         struct client_nat_entry* _cne;
-        cne[n] = malloc(sizeof(struct client_nat_entry));
+        ALLOC_ARRAY_GC(cne[n], struct client_nat_entry, 1, gc);
         _cne = cne[n];
         FUZZER_GET_DATA(_cne, sizeof(struct client_nat_entry));
-        client_nat_add_entry(ctx.options.client_nat, _cne);
+        client_nat_add_entry(options->client_nat, _cne);
     }
 
     FUZZER_GET_INTEGER(generic_ssizet, 1);
     switch ( generic_ssizet )
     {
         case 0:
-            ctx.options.route_gateway_via_dhcp = false;
+            options->route_gateway_via_dhcp = false;
             break;
         case 1:
-            ctx.options.route_gateway_via_dhcp = true;
+            options->route_gateway_via_dhcp = true;
             break;
     }
 
-    ctx.c1.tuntap = &tuntap;
+    return 0;
+
+cleanup:
+    return -1;
+}
+
+static int init_tuntap(struct tuntap* tuntap)
+{
+    ssize_t generic_ssizet;
+
     FUZZER_GET_INTEGER(generic_ssizet, 3);
     switch ( generic_ssizet )
     {
         case 0:
-            tuntap.type = DEV_TYPE_UNDEF;
+            tuntap->type = DEV_TYPE_UNDEF;
             break;
         case 1:
-            tuntap.type = DEV_TYPE_NULL;
+            tuntap->type = DEV_TYPE_NULL;
             break;
         case 2:
-            tuntap.type = DEV_TYPE_TUN;
+            tuntap->type = DEV_TYPE_TUN;
             break;
         case 3:
-            tuntap.type = DEV_TYPE_TAP;
+            tuntap->type = DEV_TYPE_TAP;
             break;
     }
+    return 0;
 
-    ctx.c1.route_list = &route_list;
+cleanup:
+    return -1;
+}
 
-    ctx.c2.link_socket = &link_socket;
+static int init_c2(struct context_2* c2, struct gc_arena* gc)
+{
+    unsigned int generic_uint;
+    ssize_t generic_ssizet;
+    struct link_socket_actual* to_link_addr = NULL;
+    struct link_socket* link_socket = NULL;
+    struct buffer buf;
+
+    memset(&buf, 0, sizeof(buf));
+
+    ALLOC_ARRAY_GC(link_socket, struct link_socket, 1, gc);
 
-    ctx.c2.es = env_set_create(&gc);
+    c2->link_socket = link_socket;
+
+    c2->es = env_set_create(gc);
 
     FUZZER_GET_DATA(&generic_uint, sizeof(generic_uint));
-    ctx.c2.frame.link_mtu_dynamic = generic_uint;
+    c2->frame.link_mtu_dynamic = generic_uint;
     FUZZER_GET_DATA(&generic_uint, sizeof(generic_uint));
-    ctx.c2.frame.extra_frame = generic_uint;
+    c2->frame.extra_frame = generic_uint;
     FUZZER_GET_DATA(&generic_uint, sizeof(generic_uint));
-    ctx.c2.frame.extra_tun = generic_uint;
-
-    FUZZER_GET_DATA(&flags, sizeof(flags));
+    c2->frame.extra_tun = generic_uint;
 
     if ( fuzzer_get_current_size() == 0 ) {
         goto cleanup;
     }
+
     buf = alloc_buf(fuzzer_get_current_size());
 
     if ( buf_write(&buf, fuzzer_get_current_data(), fuzzer_get_current_size()) == false ) {
@@ -139,27 +148,66 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
     }
 
     fuzzer_alter_buffer(&buf);
-    ctx.c2.buf = buf;
-    ctx.c2.log_rw = false;
+    c2->buf = buf;
+    c2->log_rw = false;
 
     FUZZER_GET_INTEGER(generic_ssizet, 1);
     switch ( generic_ssizet )
     {
         case    0:
-            ctx.c2.to_link_addr = NULL;
+            c2->to_link_addr = NULL;
             break;
         case    1:
-            FUZZER_GET_DATA(&to_link_addr, sizeof(to_link_addr));
-            ctx.c2.to_link_addr = &to_link_addr;
+            ALLOC_ARRAY_GC(to_link_addr, struct link_socket_actual, 1, gc);
+            FUZZER_GET_DATA(to_link_addr, sizeof(to_link_addr));
+            c2->to_link_addr = to_link_addr;
             break;
     }
+    return 0;
 
-    process_incoming_tun(&ctx);
 cleanup:
-    for (n = 0; n < MAX_CLIENT_NAT; n++) {
-        free(cne[n]);
+    return -1;
+}
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    struct gc_arena gc;
+    struct client_nat_entry* cne[MAX_CLIENT_NAT];
+    ssize_t generic_ssizet;
+    unsigned int generic_uint;
+    size_t n;
+    counter_type counter;
+    struct context ctx;
+    struct tuntap tuntap;
+    struct route_list route_list;
+
+    memset(&ctx, 0, sizeof(ctx));
+    memset(cne, 0, sizeof(cne));
+
+    fuzzer_set_input((unsigned char*)data, size);
+    gc = gc_new();
+
+    if ( _init_options(&ctx.options, cne, &gc) == -1 ) {
+        goto cleanup;
     }
-    free_buf(&buf);
+
+    if ( init_tuntap(&tuntap) == -1 ) {
+        goto cleanup;
+    }
+
+    ctx.c1.tuntap = &tuntap;
+
+    if ( init_c2(&ctx.c2, &gc) == -1 ) {
+        goto cleanup;
+    }
+
+    ctx.c1.route_list = &route_list;
+
+    process_incoming_tun(&ctx);
+
+cleanup:
+    free_buf(&ctx.c2.buf);
     gc_free(&gc);
 
     return 0;
-- 
2.47.2