From 48ee85df0b0ebdd3fe53f3eee679215aa5241013 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Sun, 3 May 2020 16:58:40 -0400 Subject: [PATCH 1/4] add packet fuzzer --- src/fuzzers/CMakeLists.txt | 1 + src/fuzzers/packet-fuzzer.cc | 50 ++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 src/fuzzers/packet-fuzzer.cc diff --git a/src/fuzzers/CMakeLists.txt b/src/fuzzers/CMakeLists.txt index 97a050d265..bd637979ac 100644 --- a/src/fuzzers/CMakeLists.txt +++ b/src/fuzzers/CMakeLists.txt @@ -70,3 +70,4 @@ target_link_libraries(zeek_fuzzer_shared ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) add_fuzz_target(pop3) +add_fuzz_target(packet) diff --git a/src/fuzzers/packet-fuzzer.cc b/src/fuzzers/packet-fuzzer.cc new file mode 100644 index 0000000000..f37110604a --- /dev/null +++ b/src/fuzzers/packet-fuzzer.cc @@ -0,0 +1,50 @@ +#include "binpac.h" + +#include "Net.h" +#include "Conn.h" +#include "Sessions.h" +#include "analyzer/Analyzer.h" +#include "analyzer/Manager.h" +#include "analyzer/protocol/pia/PIA.h" +#include "analyzer/protocol/tcp/TCP.h" + +#include "FuzzBuffer.h" +#include "fuzzer-setup.h" + +#include "pcap/dlt.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) + { + + zeek::detail::FuzzBuffer fb{data, size}; + + if ( ! fb.Valid() ) + return 0; + + for ( ; ; ) + { + auto chunk = fb.Next(); + + if ( ! chunk ) + break; + + Packet pkt; + auto timestamp = current_time(true); + pkt_timeval ts = {long(timestamp), 0}; + pkt.Init(DLT_RAW, &ts, chunk->size, chunk->size, chunk->data.get(), false, ""); + + try + { + sessions->NextPacket(timestamp, &pkt); + } + catch ( binpac::Exception const &e ) + { + } + + chunk = {}; + mgr.Drain(); + } + + zeek::detail::fuzzer_cleanup_one_input(); + return 0; + } From dd458a810e1bdc4784bf96796b5c7d3389d1f0ad Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Fri, 15 May 2020 11:52:11 -0400 Subject: [PATCH 2/4] add initial packet corpus This contains converted files from the test suite: dns53.cap ipv6-fragmented-dns.trace.cap ipv6-hbh-routing0.trace.cap ipv6-http-atomic-frag.trace.cap ipv6_zero_len_ah.trace.cap and a new one I made: syn_packet.cap --- src/fuzzers/packet-corpus.zip | Bin 0 -> 2611 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 src/fuzzers/packet-corpus.zip diff --git a/src/fuzzers/packet-corpus.zip b/src/fuzzers/packet-corpus.zip new file mode 100644 index 0000000000000000000000000000000000000000..8ffc9d4162f6615378c64137fddf1119e83329b9 GIT binary patch literal 2611 zcmb7G3sh2D8a_OPloJo7Ld`NYH3T!r9(JeD%n~sPny%e4Kn1mw7@+c1B671r4U;lV zi_9`B^Kq5bO1Y+H5AEU1y))OYVK&;sN^^SPwVcyqT2`xDbN1TntaH}h|F`$IzyJR> zI|zX!0st@$Ag?Q9TLoLYKY_k(!T`V$m<&XUW!`kp2!Z6UD=h&8P*=Y$1?rpPF#rtt z3>x!xY6Lid6-b5r?~;1xh_q~d`Jg!gJ-f!A^lw`h)V44~mIubg@cEG@K0k^dMW%{8 z>9oG(mnfbyF0;tgz+gdp5LEzNrcW`!vO(}F6{Pe@9X3xJ+URv~ynpYZg1VP9T0>h^ ztwUxCpu4S^Hrqm%B5FA;j;udlcE`CN8=)i%BHBIXd{^FUv?3CmK|%ybpc4rTHS;Nf zCC$^XUNYB$_j(u=w+l`gMdau*l>CN`^1mB48gp!53>*PaHfP`~BUi zB^4=K_$HA8{`yjJ9f@TNPYD?8q|>~-loqyTCYfnv&E?RBZuVqmX6T-R^Ph5ptYzer zyFzI>YWn;=9CamE#_`Z`xlCIUk}*8nLg8c2s1q3IiI}{?&h3xwP#xT`j4r0b$n#Ri zPG8MVc_(gwaSLcdPgqQ&sVDe3`4M+@U6>;SB)OlVH67v9S zjO-VkzA@iD2VI)G6aMc1`vHuKhlH(FK83^4DE~>lRd8nm4*kg)uZHgmWk6ZMhr0d$ z&Nw zKktCSNjF}yz+;To-$f(>;Zxx~M|r-EheN4~0f4C=7A2QUr~>)MxR{8yBK)?6wdI6F z+xQY&ZlCJpM_@|geqpFjnT|HOmgX|guJkyL9+g*D%qRX<6dRc%zH@l+`Woc4DM^Da zN>ke^RX*~5ExK%7(T<9PPL%3rg;O$~1Z!ihD;At}$EwaLPjU zDAbotpL?bOOrBRiKgZ{Uwmr+VTl#B{Yvi&G>B}Bn2fTEL zAE%s3Us>bRha6uc_Q=p!{G~|SYsd$J@c0$XA#b3K(py@>KO+*|L~Yx$p*i-(WmZ9m zy<1iMk(Q459@5F9oh{^ssH|7#R2IKSPd4pC9B3?@vXr=@d%)dz6l3XKubmU#^k{sd zF7)8sTj@3)FO$w%C~tIz{p%Tyd~fTx%JVwCLbF7yOjhsVdTM8{qM{O?KVCoSA9ptl z?X$T{7FPfBg}QjRqYGn(eb?h#L`yVJ=8mIJ1nipZ}lDJ-bKJXvD0+^u}%zRfsPfxM&x<0*)rH7U_AswJ9O? zR?R2pHXaTY@wmO?RsC%D-bY#NnpG8P`qg&P%VR9l9D&7>r#ZLr1E)pVwM%7TGcf5! z*vke#0ZF-c|J;lH1XUOLk6R1)X{`a?mOzTc+IG-5|0;I z>uIBBD$C6t&-=O$*o-ULV?LDJ@6}MAM~1t_l<$4L4lMqaE?%o9X^o0i|25mZLumM2H8z(#PH zf{=Ob??z2khs&vOrL!GhWnZWejO$2oRi%!m))aK>-9l&N2{SS#gAe}Dy7th)3rifp zt|6OpQcF{7vmP7nm~agiMz1>-u-zZtwMN9czGM|U0CAx#iox6_fva*)3tC8ZlU9>< zs}V7VZad`4K=c0Xn(TVTjMqGbzqc2CWb~pUyHfX?t)X=mpAglw=gzFPDsenI?ZhyQ zvVCk`8^X%iGu!cISBM5G)Ugl^vIH?tB8b=^lz(s#x7t7T;p@=u(S|C_S`f@&TxDM| zI<^BAFct_(i)~3zX@kM1AiiYzBnb80Q~*n@$LffiTRHW_qiXA4M&4q@+kewM7)RiQgQw^fR9V-Sb&os0RE)VejCWgavuwljC!|=FNy!_@jutm h*!XE^;4@W0G2f`_Gv+OzwEzGLY81$82BDb%@LxPuujv2) literal 0 HcmV?d00001 From e78a5be17ddef36d8cf21274bf76068c23696fd8 Mon Sep 17 00:00:00 2001 From: Justin Date: Fri, 15 May 2020 15:59:46 -0400 Subject: [PATCH 3/4] Update src/fuzzers/packet-fuzzer.cc Remove unused #includes Co-authored-by: Tim Wojtulewicz --- src/fuzzers/packet-fuzzer.cc | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/fuzzers/packet-fuzzer.cc b/src/fuzzers/packet-fuzzer.cc index f37110604a..3401b00c19 100644 --- a/src/fuzzers/packet-fuzzer.cc +++ b/src/fuzzers/packet-fuzzer.cc @@ -1,12 +1,8 @@ #include "binpac.h" -#include "Net.h" -#include "Conn.h" +#include "iosource/Packet.h" +#include "Event.h" #include "Sessions.h" -#include "analyzer/Analyzer.h" -#include "analyzer/Manager.h" -#include "analyzer/protocol/pia/PIA.h" -#include "analyzer/protocol/tcp/TCP.h" #include "FuzzBuffer.h" #include "fuzzer-setup.h" From afde8a959685b184fbb9a4336eee3baf94c36ee1 Mon Sep 17 00:00:00 2001 From: Justin Date: Fri, 15 May 2020 16:05:21 -0400 Subject: [PATCH 4/4] Update src/fuzzers/packet-fuzzer.cc Use a constant timestamp for packets Co-authored-by: Jon Siwek --- src/fuzzers/packet-fuzzer.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/fuzzers/packet-fuzzer.cc b/src/fuzzers/packet-fuzzer.cc index 3401b00c19..ca8e2cecf8 100644 --- a/src/fuzzers/packet-fuzzer.cc +++ b/src/fuzzers/packet-fuzzer.cc @@ -25,8 +25,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) break; Packet pkt; - auto timestamp = current_time(true); - pkt_timeval ts = {long(timestamp), 0}; + auto timestamp = 42; + pkt_timeval ts = {timestamp, 0}; pkt.Init(DLT_RAW, &ts, chunk->size, chunk->size, chunk->data.get(), false, ""); try