/work/toxcore/forwarding_fuzz_test.cc
Line | Count | Source |
1 | | #include "forwarding.h" |
2 | | |
3 | | #include <cassert> |
4 | | #include <cstring> |
5 | | #include <memory> |
6 | | #include <optional> |
7 | | |
8 | | #include "../testing/fuzzing/fuzz_support.h" |
9 | | #include "../testing/fuzzing/fuzz_tox.h" |
10 | | |
11 | | namespace { |
12 | | |
13 | | std::optional<std::tuple<IP_Port, IP_Port, const uint8_t *, size_t>> prepare(Fuzz_Data &input) |
14 | 35 | { |
15 | 35 | CONSUME_OR_RETURN_VAL(const uint8_t *ipp_packed, input, SIZE_IP_PORT, std::nullopt); |
16 | 33 | IP_Port ipp; |
17 | 33 | unpack_ip_port(&ipp, ipp_packed, SIZE_IP6, true); |
18 | | |
19 | 33 | CONSUME_OR_RETURN_VAL(const uint8_t *forwarder_packed, input, SIZE_IP_PORT, std::nullopt); |
20 | 28 | IP_Port forwarder; |
21 | 28 | unpack_ip_port(&forwarder, forwarder_packed, SIZE_IP6, true); |
22 | | |
23 | | // 2 bytes: size of the request |
24 | 28 | CONSUME_OR_RETURN_VAL(const uint8_t *data_size_bytes, input, sizeof(uint16_t), std::nullopt); |
25 | 23 | uint16_t data_size; |
26 | 23 | std::memcpy(&data_size, data_size_bytes, sizeof(uint16_t)); |
27 | | |
28 | | // data bytes (max 64K) |
29 | 23 | CONSUME_OR_RETURN_VAL(const uint8_t *data, input, data_size, std::nullopt); |
30 | | |
31 | 22 | return {{ipp, forwarder, data, data_size}}; |
32 | 23 | } |
33 | | |
34 | | void TestSendForwardRequest(Fuzz_Data &input) |
35 | 16 | { |
36 | 16 | CONSUME1_OR_RETURN(const uint16_t, chain_length, input); |
37 | 15 | const uint16_t chain_keys_size = chain_length * CRYPTO_PUBLIC_KEY_SIZE; |
38 | 15 | CONSUME_OR_RETURN(const uint8_t *chain_keys, input, chain_keys_size); |
39 | | |
40 | 14 | auto prep = prepare(input); |
41 | 14 | if (!prep.has_value()) { |
42 | 2 | return; |
43 | 2 | } |
44 | 12 | auto [ipp, forwarder, data, data_size] = prep.value(); |
45 | | |
46 | | // rest of the fuzz data is input for malloc and network |
47 | 12 | Fuzz_System sys(input); |
48 | | |
49 | 12 | Ptr<Logger> logger(logger_new(), logger_kill); |
50 | | |
51 | 12 | Ptr<Networking_Core> net(new_networking_ex(logger.get(), sys.mem.get(), sys.ns.get(), &ipp.ip, |
52 | 12 | ipp.port, ipp.port + 100, nullptr), |
53 | 12 | kill_networking); |
54 | 12 | if (net == nullptr) { |
55 | 2 | return; |
56 | 2 | } |
57 | | |
58 | 10 | send_forward_request(net.get(), &forwarder, chain_keys, chain_length, data, data_size); |
59 | 10 | } |
60 | | |
61 | | void TestForwardReply(Fuzz_Data &input) |
62 | 23 | { |
63 | 23 | CONSUME1_OR_RETURN(const uint16_t, sendback_length, input); |
64 | 22 | CONSUME_OR_RETURN(const uint8_t *sendback, input, sendback_length); |
65 | | |
66 | 21 | auto prep = prepare(input); |
67 | 21 | if (!prep.has_value()) { |
68 | 11 | return; |
69 | 11 | } |
70 | 10 | auto [ipp, forwarder, data, data_size] = prep.value(); |
71 | | |
72 | | // rest of the fuzz data is input for malloc and network |
73 | 10 | Fuzz_System sys(input); |
74 | | |
75 | 10 | Ptr<Logger> logger(logger_new(), logger_kill); |
76 | | |
77 | 10 | Ptr<Networking_Core> net(new_networking_ex(logger.get(), sys.mem.get(), sys.ns.get(), &ipp.ip, |
78 | 10 | ipp.port, ipp.port + 100, nullptr), |
79 | 10 | kill_networking); |
80 | 10 | if (net == nullptr) { |
81 | 1 | return; |
82 | 1 | } |
83 | | |
84 | 9 | forward_reply(net.get(), &forwarder, sendback, sendback_length, data, data_size); |
85 | 9 | } |
86 | | |
87 | | } // namespace |
88 | | |
89 | | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); |
90 | | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) |
91 | 2.99k | { |
92 | 2.99k | fuzz_select_target<TestSendForwardRequest, TestForwardReply>(data, size); |
93 | 2.99k | return 0; |
94 | 2.99k | } |