Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzz tcpsplit v1 #4917

Closed
wants to merge 2 commits into from
Closed

Fuzz tcpsplit v1 #4917

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to redmine ticket:
None

Describe changes:

  • Adds a fuzz target with differential fuzzing against TCP splitting
  • Adds const keyword for some function arguments

Open questions :

  • Can we know if for some app layer protocol, it can be seen over TCP ? (how ?)
  • Code style

Tested with input file
alert ssh any any -> any any (msg:"SSH"; ssh.protoversion:2_compat; sid:1;)%0A%00%05%00%124%00%16SSH-2.0-test%0A

  • Ok with current version
  • Triggers abort with dummy patch
diff --git a/src/app-layer-ssh.c b/src/app-layer-ssh.c
index 910803f4a..662f7770e 100644
--- a/src/app-layer-ssh.c
+++ b/src/app-layer-ssh.c
@@ -343,7 +343,7 @@ static int EnoughData(const uint8_t *input, uint32_t input_len)
 {
     uint32_t u;
     for (u = 0; u < input_len; u++) {
-        if (input[u] == '\r' || input[u] == '\n')
+        if (input[u] == '\r' || input[u] == '\n' || input == '.')
             return TRUE;
     }
     return FALSE;

@catenacyber
check: Using const keyword for some arguments
e4cd5dd
@catenacyber
fuzz: adds new differential fuzz target
5d90148 
Tries tcp stream parsing against rule detection.
And tries it again with splitting byte by byte.
And checks if we get the same alerts.
catenacyber
catenacyber commented May 4, 2020
View reviewed changes
src/detect-engine.c
@@ -2739,7 +2739,12 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
memset(det_ctx, 0, sizeof(DetectEngineThreadCtx));

det_ctx->tv = tv;
#if defined(FUZZ)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inspired by unit tests mode a few lines below

catenacyber
catenacyber commented May 4, 2020
View reviewed changes
src/suricata.c
@@ -2159,11 +2159,13 @@ static void SetupDelayedDetect(SCInstance *suri)

static int LoadSignatures(DetectEngineCtx *de_ctx, SCInstance *suri)
{
#ifndef FUZZ
if (SigLoadSignatures(de_ctx, suri->sig_file, suri->sig_file_exclusive) < 0) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure this is the best way

catenacyber
catenacyber commented May 4, 2020
View reviewed changes
src/tests/fuzz/fuzz_tcpsplit.c
TcpReassemblyThreadCtx *ra_ctx = NULL;
uint64_t forceLayer = 0;

static Packet *TestHelperBuildPacketAndFlow(const char *src, const char *dst,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any good replacement ?

catenacyber
catenacyber commented May 4, 2020
View reviewed changes
src/tests/fuzz/fuzz_tcpsplit.c
}

static int TestHelperAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, const uint8_t *payload, uint16_t len, Packet *p)
{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inspired by StreamTcpUTAddSegmentWithPayload

The whole thing is inspired by tests such as DetectSshVersionTestDetect01 from ssh rust branch

catenacyber
catenacyber commented May 4, 2020
View reviewed changes
src/tests/fuzz/fuzz_tcpsplit.c
goto end;
}
p->flow->protoctx = &ssn;
psplit->flow->protoctx = &ssnsplit;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO : have these in the helper function

@catenacyber
Copy link
Contributor Author

catenacyber commented May 4, 2020
edited

This is a follow up to generalize bug findings such as #4792 or https://redmine.openinfosecfoundation.org/issues/3631

@catenacyber
Copy link
Contributor Author

This will need corpus generation to serialized format from rule and pcap (and use S-V directories).

Are there rules who are meant to be sensitive to TCP splitting ?
Should we restrict this to app-layer rules ?

@catenacyber catenacyber closed this Sep 4, 2020
@catenacyber catenacyber deleted the fuzz-tcpsplit-v1 branch September 4, 2020 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
1 participant
@catenacyber