From 52431bc55c5b02bcbc567605e54f8baf31086d43 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 24 Aug 2022 16:58:43 -0700
Subject: [PATCH 1/2] Add a way to create generic fuzzers without creating new
 files

---
 src/fuzzers/CMakeLists.txt                    | 32 +++++---
 ...p-fuzzer.cc => generic-analyzer-fuzzer.cc} |  6 +-
 src/fuzzers/http-fuzzer.cc                    | 78 -------------------
 src/fuzzers/imap-fuzzer.cc                    | 78 -------------------
 src/fuzzers/pop3-fuzzer.cc                    | 78 -------------------
 src/fuzzers/smtp-fuzzer.cc                    | 78 -------------------
 6 files changed, 25 insertions(+), 325 deletions(-)
 rename src/fuzzers/{ftp-fuzzer.cc => generic-analyzer-fuzzer.cc} (90%)
 delete mode 100644 src/fuzzers/http-fuzzer.cc
 delete mode 100644 src/fuzzers/imap-fuzzer.cc
 delete mode 100644 src/fuzzers/pop3-fuzzer.cc
 delete mode 100644 src/fuzzers/smtp-fuzzer.cc

diff --git a/src/fuzzers/CMakeLists.txt b/src/fuzzers/CMakeLists.txt
index 4f23a282be..1656ab5f70 100644
--- a/src/fuzzers/CMakeLists.txt
+++ b/src/fuzzers/CMakeLists.txt
@@ -29,12 +29,8 @@ endif ()
 # the shared lib, links it.
 string(REGEX MATCH ".*\\.a$" _have_static_bind_lib "${BIND_LIBRARY}")
 
-macro(ADD_FUZZ_TARGET _name)
-    set(_fuzz_target zeek-${_name}-fuzzer)
-    set(_fuzz_source ${_name}-fuzzer.cc)
-
+macro(SETUP_FUZZ_TARGET _fuzz_target _fuzz_source)
     add_executable(${_fuzz_target} ${_fuzz_source} ${ARGN})
-
     target_link_libraries(${_fuzz_target} zeek_fuzzer_shared)
 
     if ( _have_static_bind_lib )
@@ -49,6 +45,19 @@ macro(ADD_FUZZ_TARGET _name)
         target_link_libraries(${_fuzz_target}
                               $<TARGET_OBJECTS:zeek_fuzzer_standalone>)
     endif ()
+endmacro()
+
+macro(ADD_FUZZ_TARGET _name)
+    set(_fuzz_target zeek-${_name}-fuzzer)
+    set(_fuzz_source ${_name}-fuzzer.cc)
+    setup_fuzz_target(${_fuzz_target} ${_fuzz_source})
+endmacro ()
+
+macro(ADD_GENERIC_ANALYZER_FUZZ_TARGET _name)
+    set(_fuzz_target zeek-${_name}-fuzzer)
+    set(_fuzz_source generic-analyzer-fuzzer.cc)
+    setup_fuzz_target(${_fuzz_target} ${_fuzz_source})
+    target_compile_definitions(${_fuzz_target} PUBLIC ZEEK_FUZZ_ANALYZER=${_name})
 endmacro ()
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR})
@@ -78,10 +87,11 @@ target_link_libraries(zeek_fuzzer_shared
                       ${zeek_fuzzer_shared_deps}
                       ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
 
-add_fuzz_target(dns)
-add_fuzz_target(pop3)
 add_fuzz_target(packet)
-add_fuzz_target(http)
-add_fuzz_target(imap)
-add_fuzz_target(smtp)
-add_fuzz_target(ftp)
+add_fuzz_target(dns)
+
+add_generic_analyzer_fuzz_target(ftp)
+add_generic_analyzer_fuzz_target(http)
+add_generic_analyzer_fuzz_target(imap)
+add_generic_analyzer_fuzz_target(pop3)
+add_generic_analyzer_fuzz_target(smtp)
diff --git a/src/fuzzers/ftp-fuzzer.cc b/src/fuzzers/generic-analyzer-fuzzer.cc
similarity index 90%
rename from src/fuzzers/ftp-fuzzer.cc
rename to src/fuzzers/generic-analyzer-fuzzer.cc
index 67caf8be48..f054cbeefd 100644
--- a/src/fuzzers/ftp-fuzzer.cc
+++ b/src/fuzzers/generic-analyzer-fuzzer.cc
@@ -11,7 +11,9 @@
 #include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
 #include "zeek/session/Manager.h"
 
-static constexpr auto ZEEK_FUZZ_ANALYZER = "ftp";
+// Simple macros for converting a compiler define into a string.
+#define VAL(str) #str
+#define TOSTRING(str) VAL(str)
 
 static zeek::Connection* add_connection()
 	{
@@ -37,7 +39,7 @@ static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn)
 	{
 	auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn);
 	auto* pia = new zeek::analyzer::pia::PIA_TCP(conn);
-	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn);
+	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(TOSTRING(ZEEK_FUZZ_ANALYZER), conn);
 	tcp->AddChildAnalyzer(a);
 	tcp->AddChildAnalyzer(pia->AsAnalyzer());
 	conn->SetSessionAdapter(tcp, pia);
diff --git a/src/fuzzers/http-fuzzer.cc b/src/fuzzers/http-fuzzer.cc
deleted file mode 100644
index 3ef6a11059..0000000000
--- a/src/fuzzers/http-fuzzer.cc
+++ /dev/null
@@ -1,78 +0,0 @@
-#include <binpac.h>
-
-#include "zeek/Conn.h"
-#include "zeek/RunState.h"
-#include "zeek/analyzer/Analyzer.h"
-#include "zeek/analyzer/Manager.h"
-#include "zeek/analyzer/protocol/pia/PIA.h"
-#include "zeek/analyzer/protocol/tcp/TCP.h"
-#include "zeek/fuzzers/FuzzBuffer.h"
-#include "zeek/fuzzers/fuzzer-setup.h"
-#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
-#include "zeek/session/Manager.h"
-
-static constexpr auto ZEEK_FUZZ_ANALYZER = "http";
-
-static zeek::Connection* add_connection()
-	{
-	static constexpr double network_time_start = 1439471031;
-	zeek::run_state::detail::update_network_time(network_time_start);
-
-	zeek::Packet p;
-	zeek::ConnTuple conn_id;
-	conn_id.src_addr = zeek::IPAddr("1.2.3.4");
-	conn_id.dst_addr = zeek::IPAddr("5.6.7.8");
-	conn_id.src_port = htons(23132);
-	conn_id.dst_port = htons(80);
-	conn_id.is_one_way = false;
-	conn_id.proto = TRANSPORT_TCP;
-	zeek::detail::ConnKey key(conn_id);
-	zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p);
-	conn->SetTransport(TRANSPORT_TCP);
-	zeek::session_mgr->Insert(conn);
-	return conn;
-	}
-
-static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn)
-	{
-	auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn);
-	auto* pia = new zeek::analyzer::pia::PIA_TCP(conn);
-	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn);
-	tcp->AddChildAnalyzer(a);
-	tcp->AddChildAnalyzer(pia->AsAnalyzer());
-	conn->SetSessionAdapter(tcp, pia);
-	return a;
-	}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
-	{
-	zeek::detail::FuzzBuffer fb{data, size};
-
-	if ( ! fb.Valid() )
-		return 0;
-
-	auto conn = add_connection();
-	auto a = add_analyzer(conn);
-
-	for ( ;; )
-		{
-		auto chunk = fb.Next();
-
-		if ( ! chunk )
-			break;
-
-		try
-			{
-			a->ForwardStream(chunk->size, chunk->data.get(), chunk->is_orig);
-			}
-		catch ( const binpac::Exception& e )
-			{
-			}
-
-		chunk = {};
-		zeek::event_mgr.Drain();
-		}
-
-	zeek::detail::fuzzer_cleanup_one_input();
-	return 0;
-	}
diff --git a/src/fuzzers/imap-fuzzer.cc b/src/fuzzers/imap-fuzzer.cc
deleted file mode 100644
index 89e8e3c730..0000000000
--- a/src/fuzzers/imap-fuzzer.cc
+++ /dev/null
@@ -1,78 +0,0 @@
-#include <binpac.h>
-
-#include "zeek/Conn.h"
-#include "zeek/RunState.h"
-#include "zeek/analyzer/Analyzer.h"
-#include "zeek/analyzer/Manager.h"
-#include "zeek/analyzer/protocol/pia/PIA.h"
-#include "zeek/analyzer/protocol/tcp/TCP.h"
-#include "zeek/fuzzers/FuzzBuffer.h"
-#include "zeek/fuzzers/fuzzer-setup.h"
-#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
-#include "zeek/session/Manager.h"
-
-static constexpr auto ZEEK_FUZZ_ANALYZER = "imap";
-
-static zeek::Connection* add_connection()
-	{
-	static constexpr double network_time_start = 1439471031;
-	zeek::run_state::detail::update_network_time(network_time_start);
-
-	zeek::Packet p;
-	zeek::ConnTuple conn_id;
-	conn_id.src_addr = zeek::IPAddr("1.2.3.4");
-	conn_id.dst_addr = zeek::IPAddr("5.6.7.8");
-	conn_id.src_port = htons(23132);
-	conn_id.dst_port = htons(80);
-	conn_id.is_one_way = false;
-	conn_id.proto = TRANSPORT_TCP;
-	zeek::detail::ConnKey key(conn_id);
-	zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p);
-	conn->SetTransport(TRANSPORT_TCP);
-	zeek::session_mgr->Insert(conn);
-	return conn;
-	}
-
-static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn)
-	{
-	auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn);
-	auto* pia = new zeek::analyzer::pia::PIA_TCP(conn);
-	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn);
-	tcp->AddChildAnalyzer(a);
-	tcp->AddChildAnalyzer(pia->AsAnalyzer());
-	conn->SetSessionAdapter(tcp, pia);
-	return a;
-	}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
-	{
-	zeek::detail::FuzzBuffer fb{data, size};
-
-	if ( ! fb.Valid() )
-		return 0;
-
-	auto conn = add_connection();
-	auto a = add_analyzer(conn);
-
-	for ( ;; )
-		{
-		auto chunk = fb.Next();
-
-		if ( ! chunk )
-			break;
-
-		try
-			{
-			a->ForwardStream(chunk->size, chunk->data.get(), chunk->is_orig);
-			}
-		catch ( const binpac::Exception& e )
-			{
-			}
-
-		chunk = {};
-		zeek::event_mgr.Drain();
-		}
-
-	zeek::detail::fuzzer_cleanup_one_input();
-	return 0;
-	}
diff --git a/src/fuzzers/pop3-fuzzer.cc b/src/fuzzers/pop3-fuzzer.cc
deleted file mode 100644
index da59df96bd..0000000000
--- a/src/fuzzers/pop3-fuzzer.cc
+++ /dev/null
@@ -1,78 +0,0 @@
-#include <binpac.h>
-
-#include "zeek/Conn.h"
-#include "zeek/RunState.h"
-#include "zeek/analyzer/Analyzer.h"
-#include "zeek/analyzer/Manager.h"
-#include "zeek/analyzer/protocol/pia/PIA.h"
-#include "zeek/analyzer/protocol/tcp/TCP.h"
-#include "zeek/fuzzers/FuzzBuffer.h"
-#include "zeek/fuzzers/fuzzer-setup.h"
-#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
-#include "zeek/session/Manager.h"
-
-static constexpr auto ZEEK_FUZZ_ANALYZER = "pop3";
-
-static zeek::Connection* add_connection()
-	{
-	static constexpr double network_time_start = 1439471031;
-	zeek::run_state::detail::update_network_time(network_time_start);
-
-	zeek::Packet p;
-	zeek::ConnTuple conn_id;
-	conn_id.src_addr = zeek::IPAddr("1.2.3.4");
-	conn_id.dst_addr = zeek::IPAddr("5.6.7.8");
-	conn_id.src_port = htons(23132);
-	conn_id.dst_port = htons(80);
-	conn_id.is_one_way = false;
-	conn_id.proto = TRANSPORT_TCP;
-	zeek::detail::ConnKey key(conn_id);
-	zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p);
-	conn->SetTransport(TRANSPORT_TCP);
-	zeek::session_mgr->Insert(conn);
-	return conn;
-	}
-
-static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn)
-	{
-	auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn);
-	auto* pia = new zeek::analyzer::pia::PIA_TCP(conn);
-	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn);
-	tcp->AddChildAnalyzer(a);
-	tcp->AddChildAnalyzer(pia->AsAnalyzer());
-	conn->SetSessionAdapter(tcp, pia);
-	return a;
-	}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
-	{
-	zeek::detail::FuzzBuffer fb{data, size};
-
-	if ( ! fb.Valid() )
-		return 0;
-
-	auto conn = add_connection();
-	auto a = add_analyzer(conn);
-
-	for ( ;; )
-		{
-		auto chunk = fb.Next();
-
-		if ( ! chunk )
-			break;
-
-		try
-			{
-			a->ForwardStream(chunk->size, chunk->data.get(), chunk->is_orig);
-			}
-		catch ( const binpac::Exception& e )
-			{
-			}
-
-		chunk = {};
-		zeek::event_mgr.Drain();
-		}
-
-	zeek::detail::fuzzer_cleanup_one_input();
-	return 0;
-	}
diff --git a/src/fuzzers/smtp-fuzzer.cc b/src/fuzzers/smtp-fuzzer.cc
deleted file mode 100644
index 68d42c6912..0000000000
--- a/src/fuzzers/smtp-fuzzer.cc
+++ /dev/null
@@ -1,78 +0,0 @@
-#include <binpac.h>
-
-#include "zeek/Conn.h"
-#include "zeek/RunState.h"
-#include "zeek/analyzer/Analyzer.h"
-#include "zeek/analyzer/Manager.h"
-#include "zeek/analyzer/protocol/pia/PIA.h"
-#include "zeek/analyzer/protocol/tcp/TCP.h"
-#include "zeek/fuzzers/FuzzBuffer.h"
-#include "zeek/fuzzers/fuzzer-setup.h"
-#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
-#include "zeek/session/Manager.h"
-
-static constexpr auto ZEEK_FUZZ_ANALYZER = "smtp";
-
-static zeek::Connection* add_connection()
-	{
-	static constexpr double network_time_start = 1439471031;
-	zeek::run_state::detail::update_network_time(network_time_start);
-
-	zeek::Packet p;
-	zeek::ConnTuple conn_id;
-	conn_id.src_addr = zeek::IPAddr("1.2.3.4");
-	conn_id.dst_addr = zeek::IPAddr("5.6.7.8");
-	conn_id.src_port = htons(23132);
-	conn_id.dst_port = htons(80);
-	conn_id.is_one_way = false;
-	conn_id.proto = TRANSPORT_TCP;
-	zeek::detail::ConnKey key(conn_id);
-	zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p);
-	conn->SetTransport(TRANSPORT_TCP);
-	zeek::session_mgr->Insert(conn);
-	return conn;
-	}
-
-static zeek::analyzer::Analyzer* add_analyzer(zeek::Connection* conn)
-	{
-	auto* tcp = new zeek::packet_analysis::TCP::TCPSessionAdapter(conn);
-	auto* pia = new zeek::analyzer::pia::PIA_TCP(conn);
-	auto a = zeek::analyzer_mgr->InstantiateAnalyzer(ZEEK_FUZZ_ANALYZER, conn);
-	tcp->AddChildAnalyzer(a);
-	tcp->AddChildAnalyzer(pia->AsAnalyzer());
-	conn->SetSessionAdapter(tcp, pia);
-	return a;
-	}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
-	{
-	zeek::detail::FuzzBuffer fb{data, size};
-
-	if ( ! fb.Valid() )
-		return 0;
-
-	auto conn = add_connection();
-	auto a = add_analyzer(conn);
-
-	for ( ;; )
-		{
-		auto chunk = fb.Next();
-
-		if ( ! chunk )
-			break;
-
-		try
-			{
-			a->ForwardStream(chunk->size, chunk->data.get(), chunk->is_orig);
-			}
-		catch ( const binpac::Exception& e )
-			{
-			}
-
-		chunk = {};
-		zeek::event_mgr.Drain();
-		}
-
-	zeek::detail::fuzzer_cleanup_one_input();
-	return 0;
-	}

From d8b31de1a21b9463ace15dfa59458c5b8ec2d681 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 24 Aug 2022 17:00:24 -0700
Subject: [PATCH 2/2] Move fuzzer corpus files to another directory

---
 ci/test-fuzzers.sh                          |   2 +-
 src/fuzzers/{ => corpora}/dns-corpus.zip    | Bin
 src/fuzzers/{ => corpora}/ftp-corpus.zip    | Bin
 src/fuzzers/{ => corpora}/http-corpus.zip   | Bin
 src/fuzzers/{ => corpora}/imap-corpus.zip   | Bin
 src/fuzzers/{ => corpora}/packet-corpus.zip | Bin
 src/fuzzers/{ => corpora}/pop3-corpus.zip   | Bin
 src/fuzzers/{ => corpora}/smtp-corpus.zip   | Bin
 8 files changed, 1 insertion(+), 1 deletion(-)
 rename src/fuzzers/{ => corpora}/dns-corpus.zip (100%)
 rename src/fuzzers/{ => corpora}/ftp-corpus.zip (100%)
 rename src/fuzzers/{ => corpora}/http-corpus.zip (100%)
 rename src/fuzzers/{ => corpora}/imap-corpus.zip (100%)
 rename src/fuzzers/{ => corpora}/packet-corpus.zip (100%)
 rename src/fuzzers/{ => corpora}/pop3-corpus.zip (100%)
 rename src/fuzzers/{ => corpora}/smtp-corpus.zip (100%)

diff --git a/ci/test-fuzzers.sh b/ci/test-fuzzers.sh
index 389c272066..2ee2dc47c6 100755
--- a/ci/test-fuzzers.sh
+++ b/ci/test-fuzzers.sh
@@ -13,7 +13,7 @@ fuzzers=$(find ./src/fuzzers -name 'zeek-*-fuzzer')
 for fuzzer_path in ${fuzzers}; do
     fuzzer_exe=$(basename ${fuzzer_path})
     fuzzer_name=$(echo ${fuzzer_exe} | sed 's/zeek-\(.*\)-fuzzer/\1/g')
-    corpus="../src/fuzzers/${fuzzer_name}-corpus.zip"
+    corpus="../src/fuzzers/corpora/${fuzzer_name}-corpus.zip"
 
     if [[ -e ${corpus} ]]; then
         echo "Fuzzer: ${fuzzer_exe} ${corpus}"
diff --git a/src/fuzzers/dns-corpus.zip b/src/fuzzers/corpora/dns-corpus.zip
similarity index 100%
rename from src/fuzzers/dns-corpus.zip
rename to src/fuzzers/corpora/dns-corpus.zip
diff --git a/src/fuzzers/ftp-corpus.zip b/src/fuzzers/corpora/ftp-corpus.zip
similarity index 100%
rename from src/fuzzers/ftp-corpus.zip
rename to src/fuzzers/corpora/ftp-corpus.zip
diff --git a/src/fuzzers/http-corpus.zip b/src/fuzzers/corpora/http-corpus.zip
similarity index 100%
rename from src/fuzzers/http-corpus.zip
rename to src/fuzzers/corpora/http-corpus.zip
diff --git a/src/fuzzers/imap-corpus.zip b/src/fuzzers/corpora/imap-corpus.zip
similarity index 100%
rename from src/fuzzers/imap-corpus.zip
rename to src/fuzzers/corpora/imap-corpus.zip
diff --git a/src/fuzzers/packet-corpus.zip b/src/fuzzers/corpora/packet-corpus.zip
similarity index 100%
rename from src/fuzzers/packet-corpus.zip
rename to src/fuzzers/corpora/packet-corpus.zip
diff --git a/src/fuzzers/pop3-corpus.zip b/src/fuzzers/corpora/pop3-corpus.zip
similarity index 100%
rename from src/fuzzers/pop3-corpus.zip
rename to src/fuzzers/corpora/pop3-corpus.zip
diff --git a/src/fuzzers/smtp-corpus.zip b/src/fuzzers/corpora/smtp-corpus.zip
similarity index 100%
rename from src/fuzzers/smtp-corpus.zip
rename to src/fuzzers/corpora/smtp-corpus.zip