File: forwarding_fuzz_test.cc

package info (click to toggle)
libtoxcore 0.2.20-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 6,124 kB
  • sloc: ansic: 75,034; cpp: 4,933; sh: 1,115; python: 651; makefile: 329; perl: 39
file content (94 lines) | stat: -rw-r--r-- 2,967 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
#include "forwarding.h"

#include <cassert>
#include <cstring>
#include <memory>
#include <optional>

#include "../testing/fuzzing/fuzz_support.hh"
#include "../testing/fuzzing/fuzz_tox.hh"

namespace {

std::optional<std::tuple<IP_Port, IP_Port, const uint8_t *, size_t>> prepare(Fuzz_Data &input)
{
    CONSUME_OR_RETURN_VAL(const uint8_t *ipp_packed, input, SIZE_IP_PORT, std::nullopt);
    IP_Port ipp;
    unpack_ip_port(&ipp, ipp_packed, SIZE_IP6, true);

    CONSUME_OR_RETURN_VAL(const uint8_t *forwarder_packed, input, SIZE_IP_PORT, std::nullopt);
    IP_Port forwarder;
    unpack_ip_port(&forwarder, forwarder_packed, SIZE_IP6, true);

    // 2 bytes: size of the request
    CONSUME_OR_RETURN_VAL(const uint8_t *data_size_bytes, input, sizeof(uint16_t), std::nullopt);
    uint16_t data_size;
    std::memcpy(&data_size, data_size_bytes, sizeof(uint16_t));

    // data bytes (max 64K)
    CONSUME_OR_RETURN_VAL(const uint8_t *data, input, data_size, std::nullopt);

    return {{ipp, forwarder, data, data_size}};
}

void TestSendForwardRequest(Fuzz_Data &input)
{
    CONSUME1_OR_RETURN(const uint16_t, chain_length, input);
    const uint16_t chain_keys_size = chain_length * CRYPTO_PUBLIC_KEY_SIZE;
    CONSUME_OR_RETURN(const uint8_t *chain_keys, input, chain_keys_size);

    auto prep = prepare(input);
    if (!prep.has_value()) {
        return;
    }
    auto [ipp, forwarder, data, data_size] = prep.value();

    // rest of the fuzz data is input for malloc and network
    Fuzz_System sys(input);

    Ptr<Logger> logger(logger_new(), logger_kill);

    Ptr<Networking_Core> net(new_networking_ex(logger.get(), sys.mem.get(), sys.ns.get(), &ipp.ip,
                                 ipp.port, ipp.port + 100, nullptr),
        kill_networking);
    if (net == nullptr) {
        return;
    }

    send_forward_request(net.get(), &forwarder, chain_keys, chain_length, data, data_size);
}

void TestForwardReply(Fuzz_Data &input)
{
    CONSUME1_OR_RETURN(const uint16_t, sendback_length, input);
    CONSUME_OR_RETURN(const uint8_t *sendback, input, sendback_length);

    auto prep = prepare(input);
    if (!prep.has_value()) {
        return;
    }
    auto [ipp, forwarder, data, data_size] = prep.value();

    // rest of the fuzz data is input for malloc and network
    Fuzz_System sys(input);

    Ptr<Logger> logger(logger_new(), logger_kill);

    Ptr<Networking_Core> net(new_networking_ex(logger.get(), sys.mem.get(), sys.ns.get(), &ipp.ip,
                                 ipp.port, ipp.port + 100, nullptr),
        kill_networking);
    if (net == nullptr) {
        return;
    }

    forward_reply(net.get(), &forwarder, sendback, sendback_length, data, data_size);
}

}  // namespace

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    fuzz_select_target<TestSendForwardRequest, TestForwardReply>(data, size);
    return 0;
}