diff options
author | DavidKorczynski <david@adalogics.com> | 2021-07-23 09:54:49 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-23 09:54:49 +0100 |
commit | ded8766460136eada6da4f6fbf039f46d6e5c1f1 (patch) | |
tree | d257013abeb886b9b0d58953416342073343f39b /projects/net-snmp | |
parent | 234984c0daf02b61b91fa75e85911973febd963c (diff) | |
download | oss-fuzz-ded8766460136eada6da4f6fbf039f46d6e5c1f1.tar.gz |
net-snmp: add two new fuzzers and simplify build script. (#6091)
Signed-off-by: David Korczynski <david@adalogics.com>
Diffstat (limited to 'projects/net-snmp')
-rwxr-xr-x | projects/net-snmp/build.sh | 8 | ||||
-rw-r--r-- | projects/net-snmp/snmp_mib_fuzzer.c | 58 | ||||
-rw-r--r-- | projects/net-snmp/snmp_octet_fuzzer.c | 82 |
3 files changed, 144 insertions, 4 deletions
diff --git a/projects/net-snmp/build.sh b/projects/net-snmp/build.sh index 3c0265d5d..abc799a0c 100755 --- a/projects/net-snmp/build.sh +++ b/projects/net-snmp/build.sh @@ -21,11 +21,11 @@ make # build fuzzers (remember to link statically) -for fuzzname in snmp_pdu_parse_fuzzer snmp_parse_fuzzer snmp_scoped_pdu_parse_fuzzer agentx_parse_fuzzer; do - $CC $CFLAGS -c -Iinclude -Iagent/mibgroup/agentx $SRC/${fuzzname}.c -o $WORK/${fuzzname}.o - $CXX $CXXFLAGS $WORK/${fuzzname}.o \ +for fuzzname in snmp_pdu_parse snmp_parse snmp_scoped_pdu_parse agentx_parse snmp_octet snmp_mib; do + $CC $CFLAGS -c -Iinclude -Iagent/mibgroup/agentx $SRC/${fuzzname}_fuzzer.c -o $WORK/${fuzzname}_fuzzer.o + $CXX $CXXFLAGS $WORK/${fuzzname}_fuzzer.o \ $LIB_FUZZING_ENGINE snmplib/.libs/libnetsnmp.a \ agent/.libs/libnetsnmpagent.a \ -Wl,-Bstatic -lcrypto -Wl,-Bdynamic -lm \ - -o $OUT/${fuzzname} + -o $OUT/${fuzzname}_fuzzer done diff --git a/projects/net-snmp/snmp_mib_fuzzer.c b/projects/net-snmp/snmp_mib_fuzzer.c new file mode 100644 index 000000000..5d9dd9234 --- /dev/null +++ b/projects/net-snmp/snmp_mib_fuzzer.c @@ -0,0 +1,58 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include <net-snmp/net-snmp-config.h> +#include <net-snmp/net-snmp-includes.h> +#include <stddef.h> +#include <stdint.h> +#include <stdlib.h> + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + if (getenv("NETSNMP_DEBUGGING") != NULL) { + /* + * Turn on all debugging, to help understand what + * bits of the parser are running. + */ + snmp_enable_stderrlog(); + snmp_set_do_debugging(1); + debug_register_tokens(""); + } + return 0; +} + +int SecmodInMsg_CB(struct snmp_secmod_incoming_params *sp1) { + return SNMPERR_SUCCESS; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char *filename; + if (asprintf(&filename, "/tmp/fuzzed-mib.%d", getpid()) == -1) { + return 0; + } + + FILE *fp = fopen(filename, "wb"); + if (!fp) { + return 0; + } + fwrite(data, size, 1, fp); + fclose(fp); + + // Read the file + read_mib(filename); + + unlink(filename); + free(filename); + return 0; +} diff --git a/projects/net-snmp/snmp_octet_fuzzer.c b/projects/net-snmp/snmp_octet_fuzzer.c new file mode 100644 index 000000000..ba15218ff --- /dev/null +++ b/projects/net-snmp/snmp_octet_fuzzer.c @@ -0,0 +1,82 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include <net-snmp/net-snmp-config.h> +#include <net-snmp/net-snmp-includes.h> +#include <stddef.h> +#include <stdint.h> +#include <stdlib.h> + +int LLVMFuzzerInitialize(int *argc, char ***argv) { + if (getenv("NETSNMP_DEBUGGING") != NULL) { + /* + * Turn on all debugging, to help understand what + * bits of the parser are running. + */ + snmp_enable_stderrlog(); + snmp_set_do_debugging(1); + debug_register_tokens(""); + } + return 0; +} + +int SecmodInMsg_CB(struct snmp_secmod_incoming_params *sp1) { + return SNMPERR_SUCCESS; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + // We need to have at least oen byte for our decider var. + if (size == 0) { + return 0; + } + const uint8_t decider = *data; + data += 1; + size -= 1; + + char *new_str = malloc(size+1); + if (new_str == NULL){ + return 0; + } + memcpy(new_str, data, size); + new_str[size] = '\0'; + + // This fuzzer hits multiple entrypoints, use the first byte of the fuzz + // data to decide which entrypoint. + switch (decider % 3) { + case 0: { + oid *root = malloc(MAX_OID_LEN * sizeof(oid)); + size_t rootlen; + snmp_parse_oid(new_str, root, &rootlen); + free(root); + break; + } + case 1: { + oid *objid = malloc(MAX_OID_LEN * sizeof(oid)); + size_t objidlen = MAX_OID_LEN; + read_objid(new_str, objid, &objidlen); + free(objid); + break; + } + case 2: { + unsigned char *new_val; + size_t new_val_len; + parse_octet_hint(new_str, new_str, &new_val, &new_val_len); + break; + } + } + + free(new_str); + return 0; +} |