diff options
author | Bart Van Assche <bvanassche@users.noreply.github.com> | 2021-07-25 16:48:39 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-25 23:48:39 +0000 |
commit | b2b06a942519f5df64d7ced5c74eb20308482e03 (patch) | |
tree | 2498a23ba3a6680c2f90145fd05646f247501bc8 /projects/net-snmp | |
parent | 4a13e59f3a09cece14001ed747c08ef06a6fb126 (diff) | |
download | oss-fuzz-b2b06a942519f5df64d7ced5c74eb20308482e03.tar.gz |
[net-snmp] Split and improve snmp_octet_fuzzer (#6111)
* [net-snmp] Include <unistd.h> for getpid()
* [net-snmp] Split and improve snmp_octet_fuzzer
Split snmp_octet_fuzzer into one fuzzer per function to make bug reports
easier to interpret. See also commit ded876646013 ("net-snmp: add two new
fuzzers and simplify build script. (#6091)")
Diffstat (limited to 'projects/net-snmp')
-rwxr-xr-x | projects/net-snmp/build.sh | 12 | ||||
-rw-r--r-- | projects/net-snmp/parse_octet_hint_fuzzer.c | 52 | ||||
-rw-r--r-- | projects/net-snmp/read_objid_fuzzer.c | 46 | ||||
-rw-r--r-- | projects/net-snmp/snmp_mib_fuzzer.c | 2 | ||||
-rw-r--r-- | projects/net-snmp/snmp_parse_oid_fuzzer.c (renamed from projects/net-snmp/snmp_octet_fuzzer.c) | 48 |
5 files changed, 119 insertions, 41 deletions
diff --git a/projects/net-snmp/build.sh b/projects/net-snmp/build.sh index abc799a0c..2a0f061f3 100755 --- a/projects/net-snmp/build.sh +++ b/projects/net-snmp/build.sh @@ -21,7 +21,17 @@ make # build fuzzers (remember to link statically) -for fuzzname in snmp_pdu_parse snmp_parse snmp_scoped_pdu_parse agentx_parse snmp_octet snmp_mib; do +fuzzers=( + agentx_parse + parse_octet_hint + read_objid + snmp_mib + snmp_parse + snmp_parse_oid + snmp_pdu_parse + snmp_scoped_pdu_parse +) +for fuzzname in "${fuzzers[@]}"; do $CC $CFLAGS -c -Iinclude -Iagent/mibgroup/agentx $SRC/${fuzzname}_fuzzer.c -o $WORK/${fuzzname}_fuzzer.o $CXX $CXXFLAGS $WORK/${fuzzname}_fuzzer.o \ $LIB_FUZZING_ENGINE snmplib/.libs/libnetsnmp.a \ diff --git a/projects/net-snmp/parse_octet_hint_fuzzer.c b/projects/net-snmp/parse_octet_hint_fuzzer.c new file mode 100644 index 000000000..0495f3b5f --- /dev/null +++ b/projects/net-snmp/parse_octet_hint_fuzzer.c @@ -0,0 +1,52 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <net-snmp/net-snmp-config.h> +#include <net-snmp/net-snmp-includes.h> +#include <assert.h> +#include <stddef.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + if (getenv("NETSNMP_DEBUGGING") != NULL) { + /* + * Turn on all debugging, to help understand what + * bits of the parser are running. + */ + snmp_enable_stderrlog(); + snmp_set_do_debugging(1); + debug_register_tokens(""); + } + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *hint, *value; + int value_start, new_val_len; + unsigned char *new_val; + + hint = strndup((const char *)data, size); + value_start = strlen(hint); + assert(value_start <= size); + value = strndup((const char *)data + value_start, size - value_start); + parse_octet_hint(hint, value, &new_val, &new_val_len); + free(new_val); + free(hint); + free(value); + return 0; +} diff --git a/projects/net-snmp/read_objid_fuzzer.c b/projects/net-snmp/read_objid_fuzzer.c new file mode 100644 index 000000000..1d49508b9 --- /dev/null +++ b/projects/net-snmp/read_objid_fuzzer.c @@ -0,0 +1,46 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <net-snmp/net-snmp-config.h> +#include <net-snmp/net-snmp-includes.h> +#include <stddef.h> +#include <stdint.h> +#include <stdlib.h> + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + if (getenv("NETSNMP_DEBUGGING") != NULL) { + /* + * Turn on all debugging, to help understand what + * bits of the parser are running. + */ + snmp_enable_stderrlog(); + snmp_set_do_debugging(1); + debug_register_tokens(""); + } + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + oid *objid = malloc(MAX_OID_LEN * sizeof(oid)); + size_t objidlen = MAX_OID_LEN; + char *input; + + input = strndup((const char *)data, size); + read_objid(input, objid, &objidlen); + free(objid); + free(input); + return 0; +} diff --git a/projects/net-snmp/snmp_mib_fuzzer.c b/projects/net-snmp/snmp_mib_fuzzer.c index 5d9dd9234..ccac14a9f 100644 --- a/projects/net-snmp/snmp_mib_fuzzer.c +++ b/projects/net-snmp/snmp_mib_fuzzer.c @@ -13,11 +13,13 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + #include <net-snmp/net-snmp-config.h> #include <net-snmp/net-snmp-includes.h> #include <stddef.h> #include <stdint.h> #include <stdlib.h> +#include <unistd.h> int LLVMFuzzerInitialize(int *argc, char ***argv) { if (getenv("NETSNMP_DEBUGGING") != NULL) { diff --git a/projects/net-snmp/snmp_octet_fuzzer.c b/projects/net-snmp/snmp_parse_oid_fuzzer.c index ba15218ff..2b069f7f8 100644 --- a/projects/net-snmp/snmp_octet_fuzzer.c +++ b/projects/net-snmp/snmp_parse_oid_fuzzer.c @@ -13,6 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + #include <net-snmp/net-snmp-config.h> #include <net-snmp/net-snmp-includes.h> #include <stddef.h> @@ -37,46 +38,13 @@ int SecmodInMsg_CB(struct snmp_secmod_incoming_params *sp1) { } int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We need to have at least oen byte for our decider var. - if (size == 0) { - return 0; - } - const uint8_t decider = *data; - data += 1; - size -= 1; - - char *new_str = malloc(size+1); - if (new_str == NULL){ - return 0; - } - memcpy(new_str, data, size); - new_str[size] = '\0'; - - // This fuzzer hits multiple entrypoints, use the first byte of the fuzz - // data to decide which entrypoint. - switch (decider % 3) { - case 0: { - oid *root = malloc(MAX_OID_LEN * sizeof(oid)); - size_t rootlen; - snmp_parse_oid(new_str, root, &rootlen); - free(root); - break; - } - case 1: { - oid *objid = malloc(MAX_OID_LEN * sizeof(oid)); - size_t objidlen = MAX_OID_LEN; - read_objid(new_str, objid, &objidlen); - free(objid); - break; - } - case 2: { - unsigned char *new_val; - size_t new_val_len; - parse_octet_hint(new_str, new_str, &new_val, &new_val_len); - break; - } - } + oid *root = malloc(MAX_OID_LEN * sizeof(oid)); + size_t rootlen; + char *input; - free(new_str); + input = strndup((const char *)data, size); + snmp_parse_oid((const char *)input, root, &rootlen); + free(root); + free(input); return 0; } |