Coverage Report

Created: 2024-05-20 01:00

/src/openiked-portable/regress/parser-libfuzzer/test_parser_fuzz.c
Line
Count
Source (jump to first uncovered line)
1
/*  $OpenBSD$ */
2
/*
3
 * Fuzz tests for payload parsing
4
 *
5
 * Placed in the public domain
6
 */
7
8
#include <sys/socket.h>
9
#include <sys/queue.h>
10
#include <sys/uio.h>
11
12
#include <event.h>
13
#include <imsg.h>
14
#include <string.h>
15
16
#include "iked.h"
17
#include "ikev2.h"
18
19
u_int8_t cookies[] = {
20
  0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */
21
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00  /* responder cookie */
22
};
23
24
u_int8_t genhdr[] = {
25
  0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */
26
  0x00, 0x00, 0x00, 0x00, /* message ID */
27
  0x00, 0x00, 0x00, 0x00  /* total length */
28
};
29
30
16.0k
#define OFFSET_ICOOKIE    0
31
16.0k
#define OFFSET_RCOOKIE    8
32
16.0k
#define OFFSET_NEXTPAYLOAD  (0 + sizeof(cookies))
33
16.0k
#define OFFSET_VERSION    (1 + sizeof(cookies))
34
16.0k
#define OFFSET_EXCHANGE   (2 + sizeof(cookies))
35
16.0k
#define OFFSET_LENGTH   (8 + sizeof(cookies))
36
37
static u_int8_t *
38
get_icookie(u_int8_t *data)
39
16.0k
{
40
16.0k
  return &data[OFFSET_ICOOKIE];
41
16.0k
}
42
43
static u_int8_t *
44
get_rcookie(u_int8_t *data)
45
16.0k
{
46
16.0k
  return &data[OFFSET_RCOOKIE];
47
16.0k
}
48
49
static u_int8_t
50
get_nextpayload(u_int8_t *data)
51
16.0k
{
52
16.0k
  return data[OFFSET_NEXTPAYLOAD];
53
16.0k
}
54
55
static u_int8_t
56
get_version(u_int8_t *data)
57
16.0k
{
58
16.0k
  return data[OFFSET_VERSION];
59
16.0k
}
60
61
static u_int8_t
62
get_exchange(u_int8_t *data)
63
16.0k
{
64
16.0k
  return data[OFFSET_EXCHANGE];
65
16.0k
}
66
67
static u_int32_t
68
get_length(u_int8_t *data)
69
16.0k
{
70
16.0k
  return *(u_int32_t *)&data[OFFSET_LENGTH];
71
16.0k
}
72
73
static void
74
prepare_header(struct ike_header *hdr, struct ibuf *data)
75
16.0k
{
76
16.0k
  bzero(hdr, sizeof(*hdr));
77
16.0k
  bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi,
78
16.0k
      sizeof(hdr->ike_ispi));
79
16.0k
  bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi,
80
16.0k
      sizeof(hdr->ike_rspi));
81
16.0k
  hdr->ike_nextpayload = get_nextpayload(ibuf_data(data));
82
16.0k
  hdr->ike_version = get_version(ibuf_data(data));
83
16.0k
  hdr->ike_exchange = get_exchange(ibuf_data(data));
84
16.0k
  hdr->ike_length = get_length(ibuf_data(data));
85
16.0k
}
86
87
static void
88
prepare_message(struct iked_message *msg, struct ibuf *data)
89
16.0k
{
90
16.0k
  static struct iked_sa sa;
91
92
16.0k
  bzero(&sa, sizeof(sa));
93
16.0k
  bzero(msg, sizeof(*msg));
94
95
16.0k
  msg->msg_sa = &sa;
96
16.0k
  msg->msg_data = data;
97
16.0k
  msg->msg_e = 1;
98
16.0k
  msg->msg_parent = msg;
99
100
16.0k
  TAILQ_INIT(&msg->msg_proposals);
101
16.0k
  SIMPLEQ_INIT(&msg->msg_certreqs);
102
16.0k
}
103
104
/* Entry-Point for libFuzzer */
105
int
106
LLVMFuzzerTestOneInput(const char *data, size_t size)
107
16.0k
{
108
16.0k
  struct ibuf   *fuzzed;
109
16.0k
  struct ike_header  hdr;
110
16.0k
  struct iked_message  msg;
111
112
16.0k
  bzero(&hdr, sizeof(hdr));
113
16.0k
  bzero(&msg, sizeof(msg));
114
115
16.0k
  fuzzed = ibuf_new(data, size);
116
16.0k
  if (fuzzed == NULL){
117
0
    fprintf(stderr, "%s\n", "ERROR: fuzzed == NULL! "
118
0
        "(hint: fuzz-input too long?)");
119
0
    return -1;
120
0
  }  
121
  
122
  /* size too small? */
123
16.0k
  if (size < sizeof(cookies) + sizeof(genhdr)){
124
1
    ibuf_free(fuzzed);
125
1
    return 0;
126
1
  }         
127
128
16.0k
  prepare_header(&hdr, fuzzed);
129
16.0k
  prepare_message(&msg, fuzzed);
130
131
16.0k
  ikev2_pld_parse(NULL, &hdr, &msg, 0);
132
133
16.0k
  ikev2_msg_cleanup(NULL, &msg);
134
135
16.0k
  return 0;
136
16.0k
}