diff --git a/src/fuzzers/CMakeLists.txt b/src/fuzzers/CMakeLists.txt index 0b23958b3a..4f23a282be 100644 --- a/src/fuzzers/CMakeLists.txt +++ b/src/fuzzers/CMakeLists.txt @@ -81,3 +81,7 @@ target_link_libraries(zeek_fuzzer_shared add_fuzz_target(dns) add_fuzz_target(pop3) add_fuzz_target(packet) +add_fuzz_target(http) +add_fuzz_target(imap) +add_fuzz_target(smtp) +add_fuzz_target(ftp) diff --git a/src/fuzzers/ftp-corpus.zip b/src/fuzzers/ftp-corpus.zip new file mode 100644 index 0000000000..21c3271b61 Binary files /dev/null and b/src/fuzzers/ftp-corpus.zip differ diff --git a/src/fuzzers/ftp-fuzzer.cc b/src/fuzzers/ftp-fuzzer.cc new file mode 100644 index 0000000000..27bef5dd8a --- /dev/null +++ b/src/fuzzers/ftp-fuzzer.cc @@ -0,0 +1,78 @@ +#include + +#include "zeek/Conn.h" +#include "zeek/RunState.h" +#include "zeek/analyzer/Analyzer.h" +#include "zeek/analyzer/Manager.h" +#include "zeek/analyzer/protocol/pia/PIA.h" +#include "zeek/analyzer/protocol/tcp/TCP.h" +#include "zeek/fuzzers/FuzzBuffer.h" +#include "zeek/fuzzers/fuzzer-setup.h" +#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h" +#include "zeek/session/Manager.h" + +static constexpr auto ZEEK_FUZZ_ANALYZER = "ftp"; + +static zeek::Connection* add_connection() + { + static constexpr double network_time_start = 1439471031; + zeek::run_state::detail::update_network_time(network_time_start); + + zeek::Packet p; + zeek::ConnTuple conn_id; + conn_id.src_addr = zeek::IPAddr("1.2.3.4"); + conn_id.dst_addr = zeek::IPAddr("5.6.7.8"); + conn_id.src_port = htons(23132); + conn_id.dst_port = htons(80); + conn_id.is_one_way = false; + conn_id.proto = TRANSPORT_TCP; + zeek::detail::ConnKey key(conn_id); + zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p); + conn->SetTransport(TRANSPORT_TCP); + zeek::session_mgr->Insert(conn); + return conn; + } + +static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn) + { + auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn); + auto* pia = new zeek::analyzer::pia::PIA_TCP(conn); + auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn); + tcp->AddChildAnalyzer(a); + tcp->AddChildAnalyzer(pia->AsAnalyzer()); + conn->SetSessionAdapter(tcp, pia); + return a; + } + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) + { + zeek::detail::FuzzBuffer fb{data, size}; + + if ( ! fb.Valid() ) + return 0; + + auto conn = add_connection(); + auto a = add_analyzer(conn); + + for ( ;; ) + { + auto chunk = fb.Next(); + + if ( ! chunk ) + break; + + try + { + a->DeliverStream(chunk->size, chunk->data.get(), chunk->is_orig); + } + catch ( const binpac::Exception& e ) + { + } + + chunk = {}; + zeek::event_mgr.Drain(); + } + + zeek::detail::fuzzer_cleanup_one_input(); + return 0; + } diff --git a/src/fuzzers/http-corpus.zip b/src/fuzzers/http-corpus.zip new file mode 100644 index 0000000000..2b7a50eda3 Binary files /dev/null and b/src/fuzzers/http-corpus.zip differ diff --git a/src/fuzzers/http-fuzzer.cc b/src/fuzzers/http-fuzzer.cc new file mode 100644 index 0000000000..669c3cadf7 --- /dev/null +++ b/src/fuzzers/http-fuzzer.cc @@ -0,0 +1,78 @@ +#include + +#include "zeek/Conn.h" +#include "zeek/RunState.h" +#include "zeek/analyzer/Analyzer.h" +#include "zeek/analyzer/Manager.h" +#include "zeek/analyzer/protocol/pia/PIA.h" +#include "zeek/analyzer/protocol/tcp/TCP.h" +#include "zeek/fuzzers/FuzzBuffer.h" +#include "zeek/fuzzers/fuzzer-setup.h" +#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h" +#include "zeek/session/Manager.h" + +static constexpr auto ZEEK_FUZZ_ANALYZER = "http"; + +static zeek::Connection* add_connection() + { + static constexpr double network_time_start = 1439471031; + zeek::run_state::detail::update_network_time(network_time_start); + + zeek::Packet p; + zeek::ConnTuple conn_id; + conn_id.src_addr = zeek::IPAddr("1.2.3.4"); + conn_id.dst_addr = zeek::IPAddr("5.6.7.8"); + conn_id.src_port = htons(23132); + conn_id.dst_port = htons(80); + conn_id.is_one_way = false; + conn_id.proto = TRANSPORT_TCP; + zeek::detail::ConnKey key(conn_id); + zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p); + conn->SetTransport(TRANSPORT_TCP); + zeek::session_mgr->Insert(conn); + return conn; + } + +static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn) + { + auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn); + auto* pia = new zeek::analyzer::pia::PIA_TCP(conn); + auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn); + tcp->AddChildAnalyzer(a); + tcp->AddChildAnalyzer(pia->AsAnalyzer()); + conn->SetSessionAdapter(tcp, pia); + return a; + } + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) + { + zeek::detail::FuzzBuffer fb{data, size}; + + if ( ! fb.Valid() ) + return 0; + + auto conn = add_connection(); + auto a = add_analyzer(conn); + + for ( ;; ) + { + auto chunk = fb.Next(); + + if ( ! chunk ) + break; + + try + { + a->DeliverStream(chunk->size, chunk->data.get(), chunk->is_orig); + } + catch ( const binpac::Exception& e ) + { + } + + chunk = {}; + zeek::event_mgr.Drain(); + } + + zeek::detail::fuzzer_cleanup_one_input(); + return 0; + } diff --git a/src/fuzzers/imap-corpus.zip b/src/fuzzers/imap-corpus.zip new file mode 100644 index 0000000000..b55f1fba9b Binary files /dev/null and b/src/fuzzers/imap-corpus.zip differ diff --git a/src/fuzzers/imap-fuzzer.cc b/src/fuzzers/imap-fuzzer.cc new file mode 100644 index 0000000000..d375f563a2 --- /dev/null +++ b/src/fuzzers/imap-fuzzer.cc @@ -0,0 +1,78 @@ +#include + +#include "zeek/Conn.h" +#include "zeek/RunState.h" +#include "zeek/analyzer/Analyzer.h" +#include "zeek/analyzer/Manager.h" +#include "zeek/analyzer/protocol/pia/PIA.h" +#include "zeek/analyzer/protocol/tcp/TCP.h" +#include "zeek/fuzzers/FuzzBuffer.h" +#include "zeek/fuzzers/fuzzer-setup.h" +#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h" +#include "zeek/session/Manager.h" + +static constexpr auto ZEEK_FUZZ_ANALYZER = "imap"; + +static zeek::Connection* add_connection() + { + static constexpr double network_time_start = 1439471031; + zeek::run_state::detail::update_network_time(network_time_start); + + zeek::Packet p; + zeek::ConnTuple conn_id; + conn_id.src_addr = zeek::IPAddr("1.2.3.4"); + conn_id.dst_addr = zeek::IPAddr("5.6.7.8"); + conn_id.src_port = htons(23132); + conn_id.dst_port = htons(80); + conn_id.is_one_way = false; + conn_id.proto = TRANSPORT_TCP; + zeek::detail::ConnKey key(conn_id); + zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p); + conn->SetTransport(TRANSPORT_TCP); + zeek::session_mgr->Insert(conn); + return conn; + } + +static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn) + { + auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn); + auto* pia = new zeek::analyzer::pia::PIA_TCP(conn); + auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn); + tcp->AddChildAnalyzer(a); + tcp->AddChildAnalyzer(pia->AsAnalyzer()); + conn->SetSessionAdapter(tcp, pia); + return a; + } + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) + { + zeek::detail::FuzzBuffer fb{data, size}; + + if ( ! fb.Valid() ) + return 0; + + auto conn = add_connection(); + auto a = add_analyzer(conn); + + for ( ;; ) + { + auto chunk = fb.Next(); + + if ( ! chunk ) + break; + + try + { + a->DeliverStream(chunk->size, chunk->data.get(), chunk->is_orig); + } + catch ( const binpac::Exception& e ) + { + } + + chunk = {}; + zeek::event_mgr.Drain(); + } + + zeek::detail::fuzzer_cleanup_one_input(); + return 0; + } diff --git a/src/fuzzers/smtp-corpus.zip b/src/fuzzers/smtp-corpus.zip new file mode 100644 index 0000000000..1d47fd877d Binary files /dev/null and b/src/fuzzers/smtp-corpus.zip differ diff --git a/src/fuzzers/smtp-fuzzer.cc b/src/fuzzers/smtp-fuzzer.cc new file mode 100644 index 0000000000..378d27311c --- /dev/null +++ b/src/fuzzers/smtp-fuzzer.cc @@ -0,0 +1,78 @@ +#include + +#include "zeek/Conn.h" +#include "zeek/RunState.h" +#include "zeek/analyzer/Analyzer.h" +#include "zeek/analyzer/Manager.h" +#include "zeek/analyzer/protocol/pia/PIA.h" +#include "zeek/analyzer/protocol/tcp/TCP.h" +#include "zeek/fuzzers/FuzzBuffer.h" +#include "zeek/fuzzers/fuzzer-setup.h" +#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h" +#include "zeek/session/Manager.h" + +static constexpr auto ZEEK_FUZZ_ANALYZER = "smtp"; + +static zeek::Connection* add_connection() + { + static constexpr double network_time_start = 1439471031; + zeek::run_state::detail::update_network_time(network_time_start); + + zeek::Packet p; + zeek::ConnTuple conn_id; + conn_id.src_addr = zeek::IPAddr("1.2.3.4"); + conn_id.dst_addr = zeek::IPAddr("5.6.7.8"); + conn_id.src_port = htons(23132); + conn_id.dst_port = htons(80); + conn_id.is_one_way = false; + conn_id.proto = TRANSPORT_TCP; + zeek::detail::ConnKey key(conn_id); + zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p); + conn->SetTransport(TRANSPORT_TCP); + zeek::session_mgr->Insert(conn); + return conn; + } + +static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn) + { + auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn); + auto* pia = new zeek::analyzer::pia::PIA_TCP(conn); + auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn); + tcp->AddChildAnalyzer(a); + tcp->AddChildAnalyzer(pia->AsAnalyzer()); + conn->SetSessionAdapter(tcp, pia); + return a; + } + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) + { + zeek::detail::FuzzBuffer fb{data, size}; + + if ( ! fb.Valid() ) + return 0; + + auto conn = add_connection(); + auto a = add_analyzer(conn); + + for ( ;; ) + { + auto chunk = fb.Next(); + + if ( ! chunk ) + break; + + try + { + a->DeliverStream(chunk->size, chunk->data.get(), chunk->is_orig); + } + catch ( const binpac::Exception& e ) + { + } + + chunk = {}; + zeek::event_mgr.Drain(); + } + + zeek::detail::fuzzer_cleanup_one_input(); + return 0; + }